David Lanter

What are the issues of security that are unique to online banking in India?

I think Neil did a great job in explaining the issues pertaining to e-banking in India. Let me turn the focus a little bit towards the issues faced specifically by the mobile banking in India.

The chief information security officer, Salvi’s mandate was to ensure that HDFC Bank’s online banking platform was secure from online risks. The online banking had two parts: net banking and mobile banking. “In India, the number of mobile subscribers had grown steadily from 60.85 million in 2005–2006 to 98.77 million subscribers in 2006–2007 to 165.11 million for the year ending March 2008.” Mobile banking was an obvious successor but still a new concept in India. And, looking at the steady growth of mobile subscribers it was certain that users would most likely be using mobile phones to carry out bank transactions. Thus, it became imperative for Salvi to include mobile banking platform as an integral part of strengthening of online banking at HDFC Bank.

The security issues that are unique to online banking in India are, authentication issues; PIN authentication method is used in mobile banking, which is an old method and has risks like identity theft. Users are still uncomfortable to use mobile banking as they don’t trust that the security mechanism provided by the banks can prevent attacks. For instance, Mobile phone being a small device, if stolen, the attacker can access the user’s password from the log files. Users also have a habit to store their passwords as drafts in their phone text applications.

Most of the users see privacy as a critical issue. It is very important for banks to educate their users on this issue and increase customer awareness. And it imperative that telecommunication providers like Reliance Communications, Airtel, Vodafone, etc. to formulate a joint security policy with banks to provide a sense of assurance their users.

Further, there are also security issues if the devices are jail-broken or rooted. Thus, it becomes important for banks to ensure that their application is preventing attackers from accessing the app in such a case.
In case of internet banking, computer systems are capable to process complex encryption programs but end-to-end security was still a concern since in mobile banking, since in order to apply sophisticated cryptographic system a mobile phone should have high computational capability.

Work Cited:

http://data.worldbank.org/indicator/SP.RUR.TOTL.ZS

Work Cited

https://www.cognizant.com/InsightsWhitepapers/Mobile-Banking-Security-Challenges-Solutions-codex898.pdf

Bose, Indranil, HDFC BANK: SECURING ONLINE BANKING

The HDFC Bank at the time of the article has just begun to set up online banking for their customers. While this bring with it all the issues attached to securing regular online banking, there are some issues that only arise because they are based in India.
One unique security issue to India is that the lack of internet connectivity has led to each connection actually worth multiple people. The overall penetration rate was listed as .2 as only 2.5 million people subscribe to the internet out of 1.1 billion people. The estimated number of actual internet users at the time was 38.5 million with an expectation to increase to 100 million in 2008. Shared connections are a security nightmare as it opens up many types of attacks on your customers. Replay attacks, malware already on the computer, or redirects to a pharming site could all be done on a communal computer.
In order to even be a bank in India, you have to follow the RBI’s (The Reserve Bank of India) guidelines. The guidelines state that security policy must be approved by the board of directors of a company. Use access controls like ids and biometrics. Use of a firewall is a must. Banks must test risk and vulnerabilities every year. The servers that are used for storing information need to have physical protections to prevent unwanted tampering. Finally, the banks in India must document all up-to-date practices in security so they can be reviewed.
Phishing is a new concept to Indian banks in 2006. HDFC was the fourth bank in India to even realize they were being targeted. Those who launch phishing attacks prefer large targets so they waited until Indian banks were large enough to attack. It also hurts that the new customers of India who are new to the internet aren’t explained the dangers of phishing well. With 1.28 million online customers, it can look very bad when they are vulnerable to phishing attacks as customers may still hold the bank at fault.
When outsourcing for security help, the companies that had good track records at the time are in America as they had been dealing with online banking issues for longer. HDFC was considering hiring RSA Security to run a secure server. This creates several security issues as you would have to constantly check with your contacts in the other company to see if security is being maintained. Another factor working against outsourcing to the experts is how transcontinental links at the time were not completely stable.
Overall, India proves a tricky environment to navigate when launching an online banking system. These obstacles, with proper policies and infrastructure, should all be manageable in the end.

Salve being a CIO of Indian Bank faced one of biggest challenge that its large number of customers were offline based and in order to bring customers to online banking the IS protocols should not be so rigorous as to cause inconvenience to customers. Although HDFC Bank was not pursuing market share as a business objective in its own right, securing regular annual increases in new customer accounts was crucial to business growth, and ensuring that existing customers stayed on with the bank was equally important. Thus Salve had to balance both the security and convenience of customers

Second he also came across the problem of location of its server the proposed IS infrastructure at HDFC Bank would include two types of servers: authentication servers (housing the software that would conduct the due diligence) and online servers (facilitating the actual transfer of money from one account to another)
The bank was in talks with RSA Security but dilemma was whether the online servers should be located at HDFC’s data centers and the authentication servers at RSA’s premises. The latter were outside of India, and maintaining server at far would present yet another potential point of systemic failure

3. What are the challenges faced by Salvi?
The Indian customers had reliable trust with offline banking and when internet was on rise online banking systems attracted customers for the comfortable nature of online banking. But considering legacy systems and paper work it was not easy to transfer online banking that too with security. Maintaining security while giving customer the convenience of online banking while withholding the trust that Indian customer was the biggest problem faced by Salvi
• He had to establish a IS security framework which was new to the online banking process
• Protect online banking platform from online hazards while guaranteeing Authentication, authorization, integrity, privacy, non-repudiation
• HDFC faced phishing attack in 2007, affecting 28% of its customers. This was the time when online banking was not prepared for it and implementing corrective measure rather than preventive.
• With new online model, IS risks identification, measurement and monitoring of credit risk, market risk and operational risk
• The problem was also with setting up servers. Customers should not directly communicate with bank server this indicated use of PKI. Should the Authentication server and online server be located onsite or with vendor or on cloud? Onsite will have less potential failure. When outsourcing IS services, vendors must not store confidential data. While maturing IS systems and guaranteeing security with each additional layer the complexity of process was increasing which went against customer ease of access.
• As it was a new implementation, his major issue was finding loose ends when banking online and tighten security there.
• With growing mobile platform, they needed to implement different authentication for mobile and online banking. With mobile systems in use, technology integration while maintaining independence of IT, business integration with each business unit dealing with its own risks, risk integration
• Dormant accounts were also vulnerable to fraud. For new customer’s secure access would be provided while account is created but what about earlier customers? A fraudster can steal an ID and password of dormant online customer, make a false registration, set up himself as a beneficiary and transfer funds during the unguarded, interim period.
• While validating user, there is high possibility of false positive. With immature IS technologies, false positives were high and thus increased customer inconvenience. The dilemma that should the protocols authenticate the customer to the transaction.
What Salvi basically faced was adaptation to new architecture at the time when risks were unknown. It was more of a corrective strategy that went against the mission of engaging customer trust convinience.

One of India’s leading private banks, HDFC bank revolutionized the Public Sector Banks (PSB’s) in 1994, reducing the slow and time consuming process of depositing and withdrawing funds by implementing 24/7 self-service technologies. The implementation of customer convenient technologies posed significant challenges to the availability, security, and integrity of a changing banking industry. The Reserve Bank of India (RBI) provided new provisions for new PSB’s entering the banking sector in 1994 to create competition for a newly re-organized banking sector. Expensive upgrades to legacy systems put the traditional brick-and-mortar PSB’s at a disadvantage in acquiring the new, younger, technology savvy depositor. As a premier provider of customer centric IS solutions, HDFC extended their remote banking services by entered the on-line and mobile banking system to target the non-traditional virtual banking customers. By adapting to the changing culture, HDFC had grown to 10 million customers, 684 branches, and 1,605 ATM’s across India from 1994 to 2007.

In August 2007, HDFC clients were sent a fraudulent email from a phishing hacker asking for sensitive account information. Phishing attacks take form of website links, phone calls, or email messages. The attack entices the recipient to perform an action that will compromise their identity to steal money or personal information. (Microsoft Safety & Security Center, n.d.)

Vishal Salvi had worked for HDFC bank as the Chief Information Security Office during the attack. He was confronted with many challenges in providing the employees and customers an easy-to-use, safe and secure information system, meeting and/or exceeding the RBI banking regulations. HDFC put a heavy focus on convenience for customers by investing in real-time technologies. The innovative technologies eliminated the need to visit a local branch, but posed new security risks for the customer. There had to be a balance between quick and secure. The system would have a multi-layered authentication process to identify the account holder and verify the transaction is accurate. Identification would require a user name and password called, “first level” authentication. Salvi decided to implement “second level” authentication, requiring another level of security fields to identify the user. The second level authentication is known in banking circles at “secure access” and requires the setup of commands unique to the user, such as and image, personal message, or answering a series of questions that will be automatically generated by the system during the log-in process. (Bose, September 24, 2016)

The multi-level authentication process provided Salvi a solution to minimize the effects of a phishing attack, but system availability and redundancy are expected to satisfy customer convenience. The HDFC IS infrastructure would consist of two sets of servers: Authentication Set & Online Set. The challenge faced by Salvi was to bring both sets of servers onsite, bring one set onsite & one set hosted, or to have both sets hosted by a 3rd party provider at an off-shore location. Bringing the servers in-house would reduce systemic failure because it would be supported by HDFC employees dedicated to each set of servers, but the cost of the equipment, payroll, utilities, and other factors didn’t make the solution cost effective. RSA security is a 3rd party security solutions provider, offering cloud computing solutions and involved in countering the phishing attack. RSA offered a scalable monthly fee solution, satisfying the security, ramp-up time, and budget.

You would think the authentication and outsourcing is a “no brainer”, but each step in both procedures reduces what HDFC considers to be convenience. It may take longer for the customer to log-in due to inexperience and/or forgetting security answers, or the system may decline an authorized transaction because it didn’t fall within the validation metrics of the authentication process. What about continuity? Will RSA provide acceptable recovery time if it goes off-line? How about access to the hosted environment, will HDFC employees have access to the co-location? Careful customer consideration and transparency would be required to maintain a secure environment, while meeting the expectations of the new and existing remote banking client.

Works Cited

Microsoft Safety & Security Center. (n.d.). How to recognize phishing email messages, links, or phone calls. Retrieved from http://www.microsoft.com: https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx

Bose, I. (September 24, 2016). HDFC Bank – Securing Online Banking. Harvard Business Journal, 8.

There is another issue that is brought up in the case regarding server implementation, the issue of implementing secure framework within a short time and the cost required to do so.
With cloud The cloud model offered by RSA would take about 9 months while online model would take 15 months. With cloud HDFC Bank could opt for pay-by-use pricing, whereby the bank would be billed only for actual usage.
I think that while solving this problem or dilemma again the security issue was underseen. With the security issues going while the system was being transferred online, yet another cloud system was going to a new area to explore with new security threats.

HDFC bank becoming a target to phishing attack Salvi, the CISO was faced with the below challenges:
1. How to ensure the security of online transaction while keeping customer convenience as a priority?
For online transaction HDFC used the adaptive risk modelling where risk score was assigned to each transaction based on some predetermined parameters such as pattern of use, size of the transaction and geographical location. Higher the risk score higher will be the intervention by the system. Intervention may be OTP’s, calls from the bank to verify the transaction, asking security questions to verify the authorization. HDFC had RSA Security as service provider to monitor an ongoing phishing attack and authorized it to shut down the online banking transactions temporarily till the user goes physically to the bank to get it enabled. The bank also introduced ‘cooling period’ wherein transfer of funds to a new person could be done by adding the person as beneficiary and transfer would be initiated only after 24 hours giving time for bank to check the transaction and also giving customer the time to report fraud. It also implemented 3 factor authentication using the three authentication requirements – defining what you are, what you have and what you know. Though these measures were necessary Salvi was concerned that by introducing so many security measure it complicated the online transaction and wanted to focus on customer convenience.
2. Should secure access be mandatory or leave it to discretionary?
Dormant accounts were easily targeted for phishing attack or other attacks as anyone could get easy access to the account without raising an alert. Salvi was planning to introduce second level of authentication- secure access for all online customers which would automatically disable the account if the customer was inactive for a defined period of time. New customers would be provided Secure Access with the online registration itself. This created dilemma about the dormant users in the list of existing online customers as they were not sure on how long the they should retain them in the unguarded system before disabling their account Salvi had to make sure that he provides a timeframe for the dormant account holders to gain secure access and also make sure that this period was small enough to be misused.
3. Should the bank use onsite model or cloud model
The proposed IS infrastructure had 2 types of server: authentication server and online server. Salvi had to decide the location of the server:
a. HDFC’s own datacenter:
In onsite model the rate of system failure was low as the servers would be in the same network. In house servers would be costly as the bank would have to think about the future requirements as well.
b. Offsite, hosted by vendor(RSA Security): Internet was the medium of communication which was always exposed to threats. One more question was whether online server was to be located at HDFC’s datacenter and have the authentication server at RSA’s premises. But as vendor location was outside India, transcontinental links were required, which was open to a risk of systemic failure. To set up this system, it would take one and half years.
c. Cloud Computing(RSA Security): Here the resources would be stored in virtual environment. The main advantage of this system was that the company would be paying only for the storage space used and could be expanded as and when the need arises. Cloud model would take 9 months to go live. The cloud model had multiple options for network connectivity- Internet: no additional cost but was less reliable, Build dedicated bandwidth- reliable but would require high investment, Proxy Server- hosted by vendor but the Bank will have less control.
As setting up IS system was not the main objective of the business but was to provide world class Indian Bank too much of investment in setting up the IT system could be a big concern for the firm. Salvi had to decide which model he should go with aligning with the business goals and still consider the profitability factor and maintain strong customer relations,

Question 1: What are the challenges faced by Salvi?

Vishal Salvi, the Chief Information Security officer at HDFC bank at the time of the case, had several challenges facing him in his new role. As outlined in the beginning of the case, the three major dilemmas that Salvi faced were how to ensure security of online transactions, whether or not to make secure access mandatory or discretionary, and whether or not to use an onsite or cloud model for their information systems and databases. With the increased demand for online banking in India, a phishing scam that affected 1.28 million customers was the cause of these challenges for Salvi. While each dilemma is slightly different, each one is aimed to increase the security of the company.

The first challenge that HDFC bank and Salvi had to face was that of finding the right blend of security and convenience. In general, security at its core usually adds some level of inconvenience. While this is not necessary a bad issue, a lot of security practices are seen as unnecessary by many consumers. If HDFC creates strict security controls in accessing an online bank account, consumers might not understand the necessity of those controls and favor another bank instead. However, if security controls are not adequate then HDFC can be the target of data breaches and phishing scams. I think the pattern that most banks and businesses see, is that during the early stages of a business that security is not a high priority, mostly since they are not a large target. However, as the bank or business becomes more popular and successful, then stronger security controls are put in place. Since HDFC wants to establish authentication and validation controls which involve customer interaction, they need to be careful in which controls they want to implement without pushing away potential customers.

Salvi had answered the first challenge by establishing multi-factor access to online banking. This multi-factor authentication required that the user establish a list of security questions, establish personal messages, provide their address or telephone number, and other methods of authenticating that the user is the appropriate user. The problem was that HDFC had a number of dormant users who did not use the online functionality but instead used the bank or ATMs. It was easy for Salvi to establish that when the access control policy was implemented, any new customers going forward will have to use the multi-factor authentication. With the way the IS was established, there was a serious vulnerability for these users. While the case doesn’t identify Salvi’s actions, I would suggest to establish a timeline where users are required to establish the multi-factor authentication questions before the account is locked online.

The last challenge faced by Salvi was where to establish the location of a server and HDFC’s IT infrastructure. In my understanding, there are really only two methods for going about acquiring IT resources, which include purchasing or paying a service provider. In the case, Salvi had the option of purchasing its own data center to house at its headquarters or use the security service provider, RSA, which included either an offsite database or cloud computing. The difficulty is that each choice has their pros and cons. The major benefit of having the database “in house” is that it sits within the headquarters of HDFC, making it more accessible since it’s on the network. However, the con is that this option is the most expensive. The more inexpensive option of using RSA has issues of its own, with those being that it needed to create a safe means to access the data as well as rely on a third party.

Overall, Salvi had to face some serious challenges to address the security of HDFC bank. In most cases I examined, the answer is usually to implement a basic change or move focus from business efficiency to security. However, in the HDFC bank case, the challenges didn’t necessarily have a clear cut answer, making the decisions by Salvi that more difficult.

The ubiquity of the internet and banking reforms in India has made HDFC Bank one of India’s leading private banks with deposits over $15 billion in 2007. Along with the internet, the demand for online banking steadily increased and was considered to be the “banking of the future.” As Chief Information Security Officer for HDFC Bank, Vishal Salvi’s primary objective was to make certain that HDFC’s online banking was secure from cyber threats while maintaining a balance between security and customer’s convenience. The four challenges faced by Salvi are: addressing phishing attacks on HDFC Bank’s customers; implementing security controls without interfering with customer’s convenience; whether or not to add the “secure access” model to dormant online accounts; and deciding on new information systems sever location that would optimize its ability to deliver financial services to its customers.

Phishing is one of the nine most common online threats facing banks and financial institutions. To combat phishing targeted to its customers, HFDC contracted RSA Security to provide a 24/7 command center that would monitor for ongoing phishing scams and shut down online banking transactions as necessarily. Salvi also introduced a “cooling period,” where transactions to unknown third party would be held for 24 hours to allow the bank time to verify the transaction with the account holders. It also sent out awareness messages to its customer in an effort to educate them on the dangers of phishing. With all of these additional controls Salvi had to make sure that HDFC does not overdo it and create an inconvenience for the customers.

HDFC also had to ensure that security controls implemented on each online transaction is invisible to the customers. Some of these controls are user ID and passwords, tokens, account profiling, and even biometrics. With every layer of additional security control, the complexity of the systems grows, making it more difficult for a customer to make online transactions. Salvi had to decide whether the information security protocols should authenticate the account holder or authenticate the transactions. Identity authentication is focused on the proper identity of the account holder which may be verified using biometrics or security tokens. Transaction authentication is using instruments such as HDFC’s “adaptive risk modeling” to create a profile for bank to flag any abnormal transactions from an account.

Secure access, in banking terms, refers to additional security measures enforced by a system to authenticate the identity of a user. This may require the user to select a pre-chosen image, answer personal security questions, provide an address or phone number, or select a personal message. It may also require the account holders to provide a list of known beneficiaries, or third-party accounts, that the customer made periodic transfers to. Dormant accounts are accounts that had never made transactions over the internet although a customer have registered for online banking. Dormant accounts were very susceptible to fraud since the attackers can gain access to the accounts without raising any flags. Salvi had to decide if secure access should only be applied to active online accounts or dormant online accounts as well. He also had to decide how long the bank should wait before disabling a dormant account’s online privileges, since leaving it alone without secure access may provide an open window for hackers to gain unauthorized access to the account.

Lastly, Salvi had to decide how he would manage the IS infrastructure for HDFC’s growth. He had to choose whether the banks authentication and online servers should be located onsite or offsite. Having the servers onsite, at HDFC’s datacenters in India, would give the bank control of the system’s availability and security. The disadvantages of onsite servers are the upfront costs, management of idle capacity, and the inability to scale up or down efficiently with demands. Cloud servers gives the bank the advantages of scalability, pay-per-usage, and minimal initial investment costs. Cloud servers also requires an additional communication medium between the bank and the provider, that needs additional security measures. The main disadvantages of having the servers on the cloud are issues with connection reliability and no control over the third party’s security management processes. With this decision Salvi must also factor in the cost and time of implementing each type of infrastructure.

Hi Paul,

This is a very good summary on the case. Thank you for sharing. Aside from being expensive, having onsite server’s also requires additional physical security controls. Some other cons, as mentioned in the case, is scalability and idle capacity. For a growing online customer base, HDFC would need to ensure that the new onsite datacenter would have enough capacity to provide services to new customers, but not so much that the maintenance cost of unused capacity drains the bottom line. With offsite servers, not only that the bank would have to rely on third party for security but it also have to provide a medium that would not affect the Availability of critical systems. Overall, like you said, it’s a very difficult decision for Salvi to decide not only between time and cost, but also security and availability of the new IS infrastructure.

3. What are the challenges faced by Salvi?

The challenges faced by Salvi are:

• It was Salvi’s principal mandate to make certain that HDFC Bank’s online banking platform was secure from online hazards
• The two components of the online banking: Net banking and mobile banking, Mobile banking was a new concept in India and people were not that much friendly with it but since it was considered to be the banking medium of the future it needed to be promoted.
• For us at HDFC Bank, an IS framework was in the light of the changing ecosystem and was just at the beginning of the curve, which had three dimensions -technology integration, business integration and risk integration.
• It was a challenge to meet the following major aspects of all three dimensions:
o For technology integration, IS should be independent of the larger information technology (IT) scenario at the bank.
o For Business integration, business division in the bank should be accountable for the costs and risks associated with IS
o For the risk integration, employee should look at IS risks as part of overall risk management of the bank rather than as a standalone risk.
• Phishing was one of the nine common online frauds concerning the banks and HDFC was the fourth bank in India to encounter it but HDFC was quick to take corrective measures
• Another challenge was to ensure that the IS protocols were not so rigorous as to cause inconvenience to customers. It was important to secure regular annual increases in new customer accounts to ensure that existing customers stayed on with the bank.
• It was a challenge to keep IS transparent to the customer and at the same time making it effective from bank’s point of view.
• Reducing the false positive rate was a challenge since the IS technologies were not that mature and IS processes were not that much stabilized due to which it was time consuming for the customers. The customers perceive it as an inconvenience. Maintaining the bank’s competitive positioning was a challenge.
• Another challenge was managing the identity authentication of the account holder as well as transaction authentication and at the same time making it simple for customers.
• Managing the security of dormant accounts was a challenge. The bank need to make a decision on whether it should provide secure access to every registered online user or limit secure access only to active users. Time-frame was needed to be defined for dormant users to seek secure access before disabling their accounts at the same timekeeping the window small to prevent misuse during the interim period.
• Deciding the server location (whether should be onsite of offsite) was a decision to be taken.

Q: What are the challenges faced by Salvi?

Based on the case, Salvi was being faced three challenges: how to balance the security of an online transaction and the customer convenience, whether secure access was mandatory or discretionary, and whether he chose an on-site model or a cloud model.

The first challenge that Vishal Salvi was being faced was the balance between the security of an online transaction and the customer convenience. In general, as per the case, each online transaction required two minimum requirements for approving an online financial transaction: validation and authentication. Validation required a customer’s user ID and password, which allowed the security system of the bank to know the account holder. Authentication required six-digit number from a customer’s physical device, which allowed to check the person’s identity. Furthermore, other additional checks included the size of transactions, locations and IP address of customers.
However, with the increase risks of online banking, Salvi wanted to increase the security of online banking, however, he concerned that implementing new security system would influence customer convenience. If Salvi decided to continue using the same level of security, it was true that customers still felt convenient to use online banking, but it was also true that the low level of security was putting customers at high risks. One the other hand, if Salvi decided to increase the level of security, the security system would be trustworthy but the complexity of the system would push the customers away and lead a loss of customers. This was Salvi’s first challenge, the balance between security and convenience.

the second challenge that Vishal Salvi was being faced was that whether the secure access mandatory or discretionary. A number of online banking users that registered in HDFC would almost never use the internet, instead, use physical branches or ATMs. Those dormant accounts were easily targeted by fraudsters without raising any alert when they entered online accounts. So Salvi was planning to implement a second level of authentication for all online customers to ensure their security, as known as “secure access”. The second level of authentication included details of account holders and increased the process of validation by the system. Furthermore, Salvi said that HDFC would disable access for those who will not use internet, and once they needed, they needed to gain Secure Access. For new customers, Salvi planned to provide Secure Access once they registered an online account.
Even though Salvi had already had his plan to implement Secure Access, he still could not decide whether it was mandatory or discretionary. If Salvi decided to make Secure Access mandatory, it would be an optimal security and he had already had plans to implement, but the inconvenience would impact customer’s experience of using online banking and lead a large loss of customers. On the other hand, if he decided to keep it discretionary, it would be convenient for customers, but the higher risks of security would be a big concern. This was Salvi’s second challenge that whether Secure Access was mandatory or discretionary.

The third challenge that Vishal Salvi was being faced was that whether he used an onsite model or a cloud model. Based on the case, an on-site model would carry a low rate of systemic failure because its servers were built within HDFC’s own local area network. A cloud model’s advantages were fluid and elastic. It would require a separate connection between HDFC and its IS vendor by internet, and the vendor’s location was outside of India, which created additional concerns of systemic failure and transcontinental links.
Salvi concerned that if he chose the on-side model, it would require a longer timeframe and more expenditures than the cloud model that required shorter timeframe compared with on-site model, and allowed to use pay-by-use pricing.

Overall of these three challenges, Salvi’s goal was to keep online banking secured. However, before he made any decisions, he had to balance several elements including customer convenience, security risk, timeframe and expenditures.

What are the challenges faced by Salvi?

In August 2007, HDFC Bank, one of India’s leading private banks was a target of a phishing attack. Customers received e-mails claiming to have originated from the bank and seeking sensitive account information, including password and personal identification codes. Phishing is one of the most common online frauds related to banks and financial institutions and due to India’s growing prevalence of online banking, banks have to set up countermeasure to prevent such attacks. Vishal Salvi, HDFC Bank’s CISO, would like to improve HDFC Bank’s information security to prevent such attacks from happening again however, he is faced with customer convenience, secure access and server location challenges in his goal to improve security.

Customer Convenience

The first challenge Salvi faced is the impact of customer convenience while attempting to make online banking more secure. One of the primary purpose of offering online banking is to make banking more convenient and available to customers where ever they are as long as they have internet access. Salvi intend to implement additional layers of protection by implementing systems which authenticates the identity of the account holder or the transaction. The check points involved in authenticating the account holder require authentication instruments such as biometrics (“what they are”) and tokens (“what they have”). Authentication of transactions on the other hand concentrates on the integrity of the transaction process. It relies on internal systems which analyzes a customer’s historical transaction amount and recipient and raises a red flag if any transaction is out of the customer’s normal transaction activity. Salvi is contemplating on which security to implement by weighing the cost-benefit of security vs. customer convenience.

Secure Access

The second challenge Salvi faced is establishing secure access for dormant users. Salvi is planning to introduce a second level of authentication for all HDFC bank’s online customers. This introduces another authentication instrument where individual customer incorporate specific details of authentication into their account such as security questions and images (“what they know”) which will be part of the validation process of the customer’s online banking. Activating this new level of security is a non-issue with active or new users however the problem lies in dormant users, which represent approximately 20% of HDFC’s customers registered online. These accounts are vulnerable to attackers and fraudsters because the actual users do not monitor their accounts. If a perpetrator is able to gain access to the dormant accounts, they can set the secure access of those account for themselves and gain complete access to those accounts. Salvi is faced with the decision on whether to activate the secure access feature, disabling dormant user account and risk losing a significant number of registered user accounts.

Server Location

The third challenge Salvi faced is establishing server locations for the authentication servers and online transaction servers. By establishing the proposed IT infrastructure mentioned above, Salvi will need to decide on whether to have the servers built in-house or outsource them to RSA Security. RSA Security had built up competent could-based servers which allows data to be stored in the virtual world. The main advantage of outsourcing to RSA Security is flexibility it provides. HDFC can use data storage as needed without being reliant on server capacity. RSA Security has offered a bundled package to store the hardware, software, networks, services, and interfaces of HDFC in the virtual world with a pay-by-use pricing. With what RSA Security is offering, it will be the wise option to set up the authentication servers in the cloud. Salvi would then need to decide on a network connectivity, whether through internet (cheapest but unreliable), dedicated bandwidth (costly but reliable) or a proxy server hosted by the vendor where hardware and software architecture would need to be installed slowly in the banks own infrastructure.

3. What are the challenges faced by Salvi?

According to the beginning of the case, Vishal Salvi, the new Chief Information and Security Officer of HDFC was facing three dilemmas in strengthening the bank’s online security following a phishing attack in 2007, affecting 1.28 million online banking customers. Those challenges.

First dilemmas: How to ensure the security of an online transaction while still keeping customer convenience as a priority?

The first security challenge for Salvi was to find the right balance between convenience and security. These two components were conflicting with each other where customers were seeking simplicity and the system to be more trustworthy whereas HDFC bank aimed to increase the complexity of security of online banking to avoid data breaches and phishing attacks. Customers could be discouraged in online banking if the bank set up too strict and complicated security controls and policies. I would describe that online banking security as an onion, which has multiple layers to protect the money and personal information of online banking users.

To response to the challenge:
Multi-factor authentication:
Salvi established the multi-factor authentication in response to the security challenge. This multi-factor authentication requires the users to select a security image, establish a personal message, provide correct address or telephone number, and answer security questions. Nowadays, this process has been implemented by most banks to ensure the right identity of the account holders.
RSA Security:
In addition, Salvi also signed on with RSA Security, a third party security provider, to set up a 24/7 command centre to monitor an ongoing attack as well as shut down the bank’s online transactions temporally under authorization from HDFC bank.
Cooling period:
Moreover, the bank account holders were required to establish a list of “beneficiary”. Transfer of funds to a new person who was not listed would take at least 24 hours. The time window would give time for the bank to check the transaction and authorization of the account holder.
Educational alert:
After the security disaster happened, HDFC bank frequently educated the account holders about hazard of phishing by sending awareness messages

Second dilemma: whether he should make secure access mandatory or leave it discretionary.
Since there were still massive amounts of registered online customers who would never use the internet, even though they had registered for online banking and would instead use offline media such as ATM or visit a branch in person. These type of users posed a risk because fraudster could gain entry through them without raising an alert.
To response to this challenge: HDFC bank would disable the access for dormant customers who do not use the online medium regularly. Then they would need to visit a branch in person with an ID to gain secure access once again.

Third dilemma: Whether he should go for an onsite model on for the cloud model in terms of time, money and security.

HDFC bank was in conflict with choosing the right server location to include two types of servers: authentication serves and online servers because each model would have it own pros and cons
Onsite model: it would be located in HDFC’s data centres in India, carrying a low rate of systemic failure. The main advantage would provide the bank higher data availability and security. The disadvantages of onsite servers would be higher costs.
Cloud computing: Business application would be stored in the virtual space of the internet and shared by everyone. The bank could customize according to its computing need. Cost would be one of the main advantages because of pay-by-use pricing. Another main advantage would be the scalability for the future. The main disadvantages would be the lower reliabilities with its network connectivity and data security for the customers.

Overall, these three dilemmas enabled Salvi to reinforce the information security defenses at HDFC. In order to maximize the information security and minimize the vulnerability subsequent to a phishing attack on the bank’s customers, I believe both parties, the banks and their customers would have the responsibility to secure themselves by having the right attitude toward account protection and certain online behaviors.

Source: HDFC Bank: Securing Online Banking, Harvard Case
https://cb.hbsp.harvard.edu/cbmp/content/55253616

What are the challenges faced by Salvi?
As Salvi said, there’re three major dilemmas. How to ensure the security of online banking while still giving priority to customer convenience? Whether secure access should be made mandatory or discretionary? Onsite models or the cloud model?

The first one. The emergence of phishing attack and another online frauds along with ever-changing external environment put a high demand on HDFC bank’s information security framework. In order to secure each online transaction from hazards, multiple standard checks were implemented, validation and authentication were minimum requirements, then complement additional check points, such as based on the risk score of each transaction or the profile of the customer.
Each new layer will add to the complexity of the process, may lead to customer inconvenience, what’s worse, potential customer losing. So, how to achieve a tradeoff between security of the online process and customer convenience matters a lot to retain old customers and attract new customers.

The second one. Salvi was planning to introduce a second level of authentication for all online customers to ensure security, cause there’s a majority of dormant users who are vulnerable to online frauds without raising an alert, Salvi just wondered whether provide secure access to every registered online user or only to active users, this challenge is pretty similar to the first one, balance the security and customer convenience.

The third one, onside model vs could model. An onsite model, as an integral part of HDFC’s own local area networks, carried a low probability of systemic failure, while cloud model faced potential systemic failure caused by low reliable internet or upfront investment on dedicated bandwidth. Besides, cloud model may scale up or scale down relevant computing services depending on users’ need, while onsite model was idle and not scalable. In addition to fundamental issues of IS, time and cost should be taken into consideration, an onsite model would take longer than cloud model, and pay-by-use pricing offered by cloud model are more sustainable and flexible.

Shahla Raei
MIS 5206
HDFS: Securing Online Banking
What are the challenges faced by Salvi?

As a CIO of HDFS bank, Salvi was working on strenthing bank’s information security framework.

Here is chanllanegs that Salvi was dealing with :

– Keep secure newly established IS framework.
– He was concerned about IS security in five different aspect to keep online transaction secure; Authentication, Authorization, Privacy, Integrity and non-repudiation.
– Moving customers from offline banking and online banking.
– All banks are required to conduct risk management and analysis of security vulnerability assessment at least once a year. At HDFS the initial risk management model, and he wanted to make sure that all platform are secure.
– Phishing was one of the most occurred online fraud concerning Salvi.
– Need to ensure that the IS protocols were not so rigorous as to inconvenience to customer.
– To reduce the false positive rate.
– Securing access and considering second level of authorization. (can distinguish the access between returning users or new users)
– By implementing mobile platform the bank needs to implement different authentication levels.

Salvi was faced with a number of unique challenges he was forced to address by enabling HDFC as an online bank. The first challenge addressed was the dilemma of striking a balance between customer convenience while implementing controls to ensure customer’s mobile and internet banking was secure and maintained their “trustworthiness.” The first questions related to securing and implementing these controls was whether or not they need to authenticate at the transaction level or the account holder level. They ultimately decided to focus on the authentication of the account holder by implementing a combination of authentication of an electronic persona by use of things like bio-metrics as well as tokens from RSA that were what you have. The only way for an individual to access this code was to have both of these correct and even today is a fairly common authentication control used.

The next dilemma that Salvi addressed was the issue of secure access (a second layer of authentication for the account holder). Here he implemented a system which would require the customer’s to predetermine and set beneficiaries of the account or authorized users. At this second level of authentication customer’s were required to select an image, message, customer’s info such as address or phone number and answers to unique questions that were previously answered by the account holder. This created the issue for dormant online accounts, or account holders that had accounts for some time but were not using any of the online features and did not register for use. This left a gaping vulnerability in the system because anyone intent on committing fraud it would be fairly easy to register the accounts for online use with readily available information and being able to create their own answers to the validation questions.

The final dilemma that Salvi faced was where to house the authentication servers and the online servers (where the actual banking takes place). His options were to either house the m onsite at their own data centers or to leverage a service provider for cloud computing. Both options had their advantages and disadvantages. If he were to house them in their existing data centers it would be easier to ensure the availability of the servers because it would be integrated with their own LAN and there would not be another communication link required to ensure up-time for availability purposes but also to secure against any egress points. With the cloud option, even with the additional network to worry about for availability, the cloud option seemed to be the better option. With every business, their goals is to be as scalable or elastic as possible and to have the agility to change to keep up with any unforeseen circumstances such as customer tendencies and unexpected growth. In addition, with the cloud model they did not have to invest any internal resources into the ongoing maintenance of the hardware or the software, patches, failed hardware, etc. This responsibility is all outsourced to the cloud provider .Also, if Salvi wanted to leverage a hybrid solution where some of the solution sat in their own data center but they wanted to leverage the cloud for certain features it is an a la carte offering, meaning the customer does not have to purchase an entire hosted solution but can rather pick and choose what he would want to use of a storage, database, integration, testing and infrastructure. Also, even though the cloud model would take about 6 months longer to implement and roll out the factors mentioned above and the tax implications and the ability for HDFC Bank to write-off a significant portion of the cloud computing costs as operating costs since it was a pay by use model, whereas the internal option would require a balance when ordering the necessary hardware to take into account future grown but not wasteful spending by overestimating and having too many idle resources purchased and sitting in their environment.

Wen Ting Lu
MIS 5206
Case 1 HDFC Bank – Securing Online Banking
In this case analysis, I will describe the three major challenges that Vishal Salvi, the new Chief Information and Security Officer was facing, assess the pros and cons of each alternatives, and finally follow by the recommendations on how to overcome the challenges.
The first challenge that Salvi facing was improve transaction security and mitigating security risks while ensure customer convenience to develop good customer relationship. Salvi wanted to strengthen its online banking security by use a combination of validation and authentication for every transaction. In which each transaction had to have proper validation in terms of a user ID and password, also the transaction also required proper authentication, which proves “what the customer has”. However, at the same time Salvia was concerned about implementing this new security system will impact customers’ convenience and make them to breezed through the online with security assess barriers. My recommendation to resolve this challenge is to implement the new secure system –two factor authentication only to unrecognized devices. The reason is that it not only protect the online banking secure, it also make it convenient to the customers who constantly using the same online banking devices.
The second challenge that Salvi facing was whether to implement secure access for all online users, or make it discretionary and limit secure access only to active users. According to the statistics mentioned in the article, about 20% of the registered online customers were dormant users. These users never use the internet and instead they would prefer use offline media such ATMs or visit a local branch in person. However, dormant account were vulnerable to phishing attacks and it would provide a great opportunity for hackers gain entry without any alert. There are two alternative courses of action for this challenge. The first action is prohibit the logins from dormant users without warning. This will quickly resolve the dormant account vulnerability, but it will bring inconvenience to the customers because their account have been disabled. The second action is give dormant account users warning before disable their accounts and rewrite the current IT governance with dormant accounts in minds. This will prone to irritate customers, and address the dormant account vulnerability. My recommendation of course of action to resolve this challenge is rewrite IT governance policy and give warning to dormant account users that their account is under the threats. By rewrite the IT governance policy will not only allow HDFC bank to have a companywide IT policy that will state how to deal with dormant accounts, it could also be marketed to the customers as a good reputation of care for customers’ accounts safety. At the same time, an education platform can be created to help customers understand why the changes are being made in secure access and awaken dormant account users the importance of online security.
Lastly, Salvi was facing the challenge of made determination of where to located HDFC bank’s servers, either onsite or offsite as a cloud model. There are both pros and cons of onsite and offsite models. In the article it mentions that an onsite model carried a low rate of systemic failure because the servers would be an integral part of HDFC’s own local area network. On the other hand, an offsite model required a separate medium of communication between HDFC Bank and the IS vendor-the internet. However, onsite model is idle and not scalable as expansion and contraction cannot be done depending upon the needs of the users in computer services because this model is a fixed capacity of a data center. Compared with onsite model, the offsite cloud model is are to expand and contract depending upon the need of the users and made possible for the users to scale up and down in the computing services. My recommendation of course of action to resolve this challenge is to implement cloud based solution because technology grow rapidly and it is hard to predict, with elastic capacity cloud model resolved this issue. In addition, offsite cloud model has the benefit in pay-by-use pricing.

Vishal Salvi, Chief Information Security Officer of HDFC Bank, has the challenge to make several very tough decisions, which include: how does he ensure the security of an online transaction while still keeping customer convenience as a priority, should he make secure access mandatory or should he leave it discretionary, and should he go for an onsite model or for the cloud model?
Salvi looked-for ways to resolve how he would ensure the security of an online transaction while keeping convenience high for customers. One way Salvi decided to do this was by confirming that the bank would introduce a 24 hour “cooling period” where funds would not transfer to a not listed account until after the time period. This would give the bank time to check the transaction and it would allow the bank user to alert the bank if they noticed something was wrong. Salvi would also have the bank send a phishing awareness message to educate customers on its hazard. These both go along with his strategy of security without inconvenience.
Salvi addressed the issue of mandatory secure access with plans to enforce second level authentication. One way Salvi would do this is with making sure that every large transactions would have standard validation and authentication “checks”. However, he had to decide whether he wanted to have the bank authenticate the identity of the account or authenticate the actual transaction which is a convenience issue. Another issue with secure access is that dormant accounts were extra vulnerable to attacks so Salvi also had to decide whether the bank should provide secure access to every registered online user or limit secure access to only active users. Salvi seemed to be leaning towards the option of making dormant account users lose access to online accounts and having to actually come into the bank.
In regards to the location of the servers, Salvi has two options: onsite model or offsite/cloud model. The benefits of the onsite model are: a low rate of systemic failure, total control of their network and data, better security against hackers, and a better client/customer relationship. The negatives of the onsite model are: longer implementation, increased costs, high upfront investment, the requirement of specialists to protect against cyber-attacks like phishing, and the requirement of each department to maintain all software and hardware.
An offsite/cloud model is more fluid and flexible, less upfront investment, the cost of the cloud is not fixed and is directly related to the amount of bandwidth used and the amount can be written off as financial expenditure, cloud is convenient for the customer to bank online, and less employees need to be hired with this model. The cons of the offsite/cloud model are: a third party controls their data, the increase of system failure due to the separate medium of communication, HDFC has no control of their servers, may have to purchase data if they end their partnership with the cloud company, and there are questions concerning transactional links.
All of these decision will be tough because Salvi will have to make the decision based on the bank’s core activities (providing and facilitating financial services) and not hardware and software maintenance, upkeep of websites, management of data centers, and provision of links at ATMS. These types of decisions will only get harder as more and more users convert to online accounts. Salvi will also base his decisions on his ability to ensure security without inconveniencing the account holders so that the bank can secure regular annual increases in new customer accounts while ensuring that existing customer stayed on with the bank.

Priya & Vaibhav,

The decision to move functions to the cloud, or to outsource is a difficult decision to make. The two main factors I see in this decision are:
1. Control – Do you want to have the ability to control the environment? Make changes, add & remove controls, ect. I see difference between a companies cloud solution vs. on-site solution is control and not so much functionality.
2. Cost – Do you want to pay for it upfront or forever with a monthly cost. You will have to try and estimate a break-even point based on the number of users / licenses. You will have to include variable costs like: Support, but also fixed costs like: Hardware.

This is why it is important to have a council made up of individuals who are using the solutions.

Fred – Although I believe control and cost are factors I do not think they are the main factors.
I think all of these decision will be based on the bank’s core activities (providing and facilitating financial services) and how they can provide these services in the best way possible that will allow for annual increases in new customer accounts while ensuring that existing customer stayed on with the bank. With that said, I think the two main facors are 1)security (without inconveniencing the account holders) and 2) growth.

The term “acceptable information system security risk” means that the risk of information system security is not high enough for the organization to worry about it. In fact, accepting level of risk occurs when the cost of managing the risk outweigh the cost of handling the loss.

The authorizing official (or designated approving/accrediting authority) is a senior management official or executive with the authority to formally determines what the acceptable level of information system risk is.

In order to determine what is an acceptable level of risk, the organization must perform a
security risk analysis, which is part of a 9 step risk assessment process, that should involve the following:
1-Control Analysis
2-Likelihood determination

3-Impact Analysis (determine impact to the systems, data, and the organization’s mission.)
Impact levels are described using the terms of high, moderate, and low.

4-Risk Determination
The level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability obtained in step 2 of risk analysis) and threat impact (obtained in step 3 of risk analysis).

For example, the probability assigned for each threat likelihood level is 1.0 for high, 0.5 for
moderate, and 0.1 for low, and The value assigned for each impact level is 100 for high, 50 for moderate, and 10 for low.
Then using a risk scale the risk should be classified as low(from 1 to 10) , moderate(10 to 50) or high (50+)

If an observation is described as low risk, the system’s authorizing official must determine whether corrective actions are still required or decide to accept the risk.

The term “Acceptable information system risk “is usually defined in terms of practical implementation that inspite of building security measures and risk mitigation features within an organization the risk can never be reduced to zero .When risk can not be reduced to zero, so it’s important to determine how much to spend on lessening it to an acceptable level of risk.We can explain it with an example that despite of the measures taken by bank to secure the online banking system there are always attempt by hackers to hack into the system and this can never be reduced to zero so its important to determine how much to spend to bring the system to an acceptable level of risk

Acceptable risk levels should be set by management and based on the business’s legal and regulatory compliance responsibilities, Information security managers play an important decision in deciding the acceptable level of risks to balance the company operational costs and built a robust security mechanism.

To conduct a risk analysis some of the steps are being defined
1)Control analysis-Analyzing the controls to be used in the organization to protect the system
2)Likelihood determination-Likelihood ratings are described in the qualitative terms of high, moderate, and low, and are used to describe how likely is a successful exploitation of a vulnerability by a given threat
3)Impact analysis-This step usually defines calculating the impact in case the risk occurs in the organization and level of damage it may cost.The impact levels are also determined as low,moderate and high
4)Risk determination-Once the likelihood of risk and its impact has been determined we have to calculate risk by multiplying the ratings assigned for threat likelihood (e.g., probability)
and threat impact.
The probability assigned for each threat likelihood level is 1.0 for high, 0.5 for
moderate, and 0.1 for low.
The value assigned for each impact level is 100 for high, 50 for moderate, and
10 for low.
For example likelihood of risk is high so has been given the probability of 1 and impact to organization is moderate so assigned value 50.
The risk to organization finally is 50*1=50 in case the vulnerability is exploited

Risk, as defined in ISO 27000 series, is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to an organization.
Acceptable information system security risk essentially means the level of harm the organization is willing to accept in an event that a threat should be successful in exploiting a vulnerability. It is impractical for organization to eliminate information security risk completely. Even after security controls are implemented to lessen the occurrence and/or impact of an Information security event, there will still be some residual risk. If the residual risk has not been reduced to an acceptable level, the risk management cycle is repeated until enough controls are implemented to make the residual risk acceptable.
Acceptable information system security risk is dependent on the organization, its resources, and risk appetite. Each organization has its own acceptable risk levels which is driven by legal and regulatory compliance responsibilities, its threats, and its business drivers. Management has the responsibility to set the organizations acceptable risks levels because they understand the business drivers and ultimately responsible for meeting business objectives.
There are several constraints that plays a role on how an organization determines its acceptable level of risk:
1. Time-frame to implement
2. Financial or technical issues
3. The way the organization operates or its culture
4. The environment in which the organization operates
5. Legal framework and ethics
6. Ease of use of security measures
7. Availability and suitable of personnel
8. Difficulties of integrating new and existing security measures
Due to these constraints, organizations may not be able to implement appropriate security controls or the cost of implementing controls outweighs the potential of a security event occurring. The organization must conduct the appropriate Risk Assessment process for each potential risk to the organization.

The term “acceptable information system security risk” is a determined in the risk treatment process which is the fundamental goal of going through the risk assessment and other prerequisites to the risk treatment phase of risk management methodology. This is the idea that after going through the context evaluation and risk assessment phases of the methodology, and when analyzing what the appropriate course of action is to minimize the cost of implementing controls to mitigate the risk identified (ultimate goal of the overall process) it is determined that the organization will live the risk and the potential consequences of the security event taking place against the asset. This occurs when either the risk is deemed to unlikely to occur or the cost of implementing any controls to mitigate the identified risk is too costly to implement and fails the cost-benefit analysis.

The acceptable level of risk should be decided by the steering committee within an organization. The steering committee should have the necessary stakeholders from all sides of the business that are impacted by the identified risk. This would include the executive management of the lines of business as well as executive management from the owner of the overall risk management process, i.e. CISO or CIO. It is important that all aspects of the business be included when creating a security steering committee or over site committee.

What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?

The term “acceptable information system security risk” is the level of risk that a company is able to tolerate. This could mean that the impact of the risk would not adversely affect the company too much if the risk were to occur or the risk is deemed too unlikely to happen.

The level of the acceptable level of risk is determined by the senior management of the organization. They will determine the level of financial impact the organization is able to absorb and the probability of risk that the organization is willing to accept.

The acceptable level of risk of an organization is determined through conducting a risk analysis.
The steps of the risk analysis are:

1) System Characterization – Knowing what exactly in the organization is at risk

2) Threat Identification – Knowing what or who are the threat that could lead to the risk

3) Vulnerability Identification – Knowing the potential flaws that could lead to the threat

4) Control Analysis – Analyzing the control that are implemented or could be implemented to reduce or eliminate the probability of risk

5) Likelihood Determination – Estimating the probability ratings of risks in defined terms such as low, medium and high.

6) Impact Analysis – Estimating the level of damage if the risk were to occur in defined terms such as low, medium and high.

7) Risk Determination – The level of risk can be determined using a risk-level matrix by multiplying the likelihood and impact ratings determined beforehand and defined in terms such as low, medium and high.

8) Control Recommendation – This is where the acceptable level of risk is determined. A cost-benefit analysis is conducted to determine if a control investment is worth the risk it could mitigate

Question: What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?

Generally, the acceptable information system security risk includes two situations:
1. The information system security risks are initially in an acceptable level. For example, many employees may forget their user name or passwords, and not allowed to access their PCs. In this case, employees forget their passwords is a high frequency low damage risk, and most of information systems existing process can allow employees find back their passwords, so the risk is in an acceptable level.

2. The frequency and damage of the risks are mitigated to an acceptable level. For example, the firewall of a core servers is a protective control which can prevent the core servers of an organization from hacking. Moreover, with the assist of corrective controls like backup systems and disaster recovery plans, the frequency and damage of risks are acceptable.

The head of IT department or management like CIO of the organization usually is the one who determines what is the acceptable level of information system risk.

To determine what is an acceptable level of risk, I think the decision maker should compare the cost of mitigating the risks and what the potential damage the risks may cause. For example, if the company is a new-start company, spend millions to build a top level firewall is too expensive. In this case, the company can spend less money and build a backup system instead. Even if the attacks damage the servers, the backup system can ensure the business recover in a short time. Since the new-start companies usually don’t have too much valuable information assets, therefore, by using the corrective control can mitigate the risks in an acceptable level.

The acceptable information system security risk is essential the level or risk that an organization is willing to tolerate. It is impossible to prevent every risk, nor is it feasible to implement every possible control, or risk prevention/mitigation. Therefore it is necessary to allocate resources to the risks with the most probability and/or the highest impact. Some risks may be extremely rare but have a high impact so a company might decide to accept that risk because the probability is so low that resources are better spent elsewhere. Alternatively a risk may have a high probability and very low impact, so controls/mitigation may either be less of a priority or not addressed.

Credit cards are an excellent example of the latter. Credit cards in Europe utilized the EMV chip for decades because it was more secure while those in the US did not. Although effective at reducing fraud, many companies decided it would be more expensive to implement the technology than the current fraud. However, credit card fraud grew so prolific in recent years, the cost became too onerous and the chips were eventually implemented. Clearly the decision was made on the impact vs risk mitigation costs.

Acceptable level of risk should be determined by management. Should include CIO, IT security subject matter experts, legal and regulatory considerations, and financial implications of impact and cost to implement controls.

Paul,

This is a good explanation of acceptable risk level. Organizations will sometimes have to make the decision on how much controls will be needed to reduce their risk to an acceptable level. Like an example given in class, the chances of a thermal-nuclear war is very low, but if it happens then the impact would be devastating. There’s probably nothing that an organization could do to prevent the event from happening, but they can reduce the impact by, exaggerating of course, building a facility underground. The cost of such endeavor may too extreme for the company to handle, so they might simply choose to accept the risk based on the resource that they have available.

Brou,

Good way to put it: “when the cost of managing the risk outweigh the cost of handling the loss.” I would just like to add that, In the real world, attaining zero risk is impossible. But after risk avoidance controls are in place, the residual risk shouldbe acceptable. There are different degrees of risk that consequently require degrees of safety.

The term “acceptable information system security risk” means that the risk of information system security is not high importance for an organization to worry about. No organization is ever totally without risk, but there are steps that can be taken to establish an acceptable level of risk that can be properly mitigated.
Acceptable risk should be determined by management based off the business’s regulatory compliance and its business objectives. When determining risk a business must measure loss of revenue, unexpected costs or the incapability to carry on production that would be experienced if a risk actually occurred. Information security professionals need to serve as the transition between the threats and management.
-Identifying company assets.
-Ranking assets in order of priority
-Recognizing each asset’s potential vulnerabilities
-Calculating the risk for the known asset
The countermeasures to mitigate the calculated risks and carry out cost-benefit analysis for these countermeasures are up to senior management and from there they can decide how to treat each risk.

The main aim of Risk Assessment to help the decision making process to verify if the risk has come to a acceptable level or not. and what measures can be taken to provide its acceptability.
When the cost of risk is smaller than the mitigation cost, it is reasonable to accept risk.In this case however the organization must be able to provide the rationale behind risk acceptance. In order to assess the level of risk organization must estimate and access the likelihood and impact of occurrence
The risk assessment process defines how to calculate the likelihood and impact –
1. Identifying Threats – identify business,environmental, natural threats
2. Identifying Vulnerabilities – Conduct vulnerability scans, penetration testing
3. Relating Threats to Vulnerabilities – Relate threat to the vulnerabilities
4. Defining Likelihood –
It is the probability that a threat caused by a threat-source will occur against a vulnerability.
-Low -0-25% chance of occurrence of risk
– Moderate -26-75% chance of occurrence of risk
– High -76-100% chance of occurrence of risk
5. Defining Impact
Impact can be defined in terms of confidentiality, availability and integrity and quantified in terms of low. moderate and high.
6.Assessing Risk – Draw a likelihood and impact matrix to determine risks and its level

Typically, business managers, not IT security personnel, are the ones authorized to accept risk on behalf of an organization.
It depends upon the business what is level of risk that the business can tolerate. Ingeneral it can depepnd upon folowinf factors,
– Legal/Government rules
– Timeline to implement mitigation action
– Organizational policies, objectives
– Interest of stakeholders

[source] https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204

It depends upon the business what is level of risk that the business can tolerate. In general it can depend upon following factors,
– Legal/Government rules
– Timeline to implement mitigation action
– Organizational policies, objectives
– Interest of stakeholders

The term “Acceptable Information System Security Risk” outlines the Information Security Risks and the level of exposure the company is willing to endure.

The management is responsible to identifying the risks and deciding what is an acceptable level because they know the operation of the business and the impact behind each function.

The level of business risk a company holds is dependent on an organizations unique variables. The management will build a risk profile to determine what is an acceptable level of risk. This will help assign value to determine what mitigation techniques will be used and amount of money will be spent on the risks.

Two companies may perform similar operations but the management for each company may set different risk levels for the operation. There is no right or wrong answer. It depends on managements perceptions.

The term “acceptable information system security risk” reminds me of one of other terms – “risk appetite”, Risk appetite is the amount of risk, on a comprehensive level, that an entity is willing to accept in pursuit of value. The risk falls into the range of “risk appetite” could be deemed as “acceptable information system security risk”, that is the cost of implementing appropriate measures to reduce risks outweighs the potential loss once risk occurring.

The way to determine acceptable level of risk is risk analysis, there’s steps for Risk Analysis:
1 Control Analysis
2 Likelihood Analysis – to consider a threat source’s motivation and capability to exploit a vulnerability, the nature of the vulnerability, the existence of security controls, and the effectiveness of mitigating security controls
3 Impact Analysis – considering impact to the systems, data, and the organization’s mission and the criticality and sensitivity of the system and its date to determine the level of risk to a system is impact
4 Risk Determination – to obtain the level of risk to the system and the organization based on previous analysis by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact.

Acceptable information system security risk is the level at which companies are willing to accept depending on whether the impact on the company and the cost to fix it is low. It also has to do with the idea that the risk isn’t affecting their customers too much. The CIO and CEO determine the level of acceptable risk because 1) The CIO is in charge of IT and sets policies and procedures to mitigate any sort of risk and solutions to solve system security occurrences and 2) The CEO overlooks the company as a whole, making sure the assets of the company is safe. Together these two can perform risk analysis to create strategies to determine what level of risk they are willing to accept through various methods such as a cost analysis. If a risk was low and has barely any impact on the company, they will accept it or if it’s too high, they try to find ways to bring it down to an acceptable level or create stronger policies to prevent it from affecting the company too much. They look at scenarios in which the probability of certain event occurring is either low, moderate or high. If a risk is low impacting and doesn’t require much to fix, the organization will accept the risk and won’t worry too much about it. But at moderate and high levels, they tend to look at it more closely and figure out what ways they can use to mitigate or eliminate it.

Paul, you make a great point. It’s good to include stakeholders and get their ideas on what is an acceptable level of risk by utilizing a steering committee. The CIO/CISO are major players in this because they can give a more informative and closer insight since they deal with the systems on a daily basis and the CEO is another major player because the CEO is overlooking the company and how costly some risks can impact the organization.

My weekly news post is about a video that relates Wells Fargo fraud. As we talked about it last week, Wells Fargo was fined $190 million because of 1.5 million fake accounts created by multitude employees. Out of the $190 million fine only $5 million will go to the victims.
The company fired more than 5,000 employees and said they will invest in training and improve their control. The outrageous thing is that nobody is going to jail. A fraud has been committed and no one is being held responsible for it. This kind of fraud should result up to 15 years in prison.
Plus, the fine represent only 3% of Wells Fargo revenue ($5.6 billion) in the second quarter of 2016. The government should be stricter, otherwise other banks will do the same knowing the punishment won’t be hard.

I agree that two similar companies may have different risk management practices, and there is no one superior strategy. However, there some risk management practices that provide excellent framework/guidelines. For example, transferring risk, or purchasing insurance is sometimes not advisable unless there are regulatory requirements to consider. A risk that has a high probability and low impact should not be insured, but rather retained by the company. Insurance is generally not a good risk management practice for low impact risks, regardless of frequency. However, a company may decide that it does not want to retain the risk and would rather predictability. In this example, insurance would not be a good choice. However different companies may pursue diverging risk mitigation practices with positive results.

I totally agree with your opinion Deepali. From a decision maker’s perspective, balance the cost of risk and the cost of governance the risk is very important. For example, the risk with high frequency and high damage should be handled firstly. Management of an organization should also consider specific circumstance to decide which is the best way to mitigate the risks.

Yes, I also think the organization can mitigate the impact even if it might not prevent the risk from happening. Comparing with the preventive control, I think corrective control like backup systems and disaster recovery plan also have important position in mitigating the risk. If an organization is new-start, it might no need to invest millions in building a top level firewall, but an available backup system can fit what it needs.

Great post Ming Hu. You brought a good point about Risk Appetite. I read in detail about it,
An organization should consider risk appetite at the time of aligning organization goals.
To determine risk appetite following steps should be taken:
1. Develop risk appetite
2. Communicate risk appetite
3. Monitor and update risk appetite
However there are 2 important aspects
(1) articulating risk appetite is too difficult
(2) Communicating risk appetite does not contribute to growth of organization.
However the costs to manage risk sometimes outweighs the main objective of business.Determining risk appetite is an element of good governance that managements and boards owe to stakeholders.

Hi Priya,

Thanks for giving a great explanation of how an organization accesses risk and verify if the risk acceptable or not. Actually, to assess risk, an organization can create a Sample Risk Management Table including risk
risk Description, impact, likelihood, risk management strategy, cost residual risk after implementing risk management strategy. so that they can determine the level of risk they are able to accept or tolerate.

Ming, Great Answer. I have heard it referred to Risk Appetite as well. I think a company’s Risk Appetite is also affected by Company Culture. Some company’s are by design riskier than others and vice versa. That is because many companies survive off taking risks because it is the nature of their business. For example, Life Insurance companies are often times take high risk because it is necessary in that field.

An information risk profile is an evaluation of the types, amounts and priority of information risk that an organization finds acceptable and unacceptable (risk appetite).

Organizations use a risk profile as a way to mitigate potential risks and threats.

An information risk profile is critical to the success of an organization’s information risk management strategy and activities because it provides valuable insights into an organization’s information risk appetite and expectations for information risk management.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

An information risk profile documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization. It is used to manage and apprehend risks in the organization.

Plus, risk profile is critical to the success of an organization’s risk management strategies and activities because it is the tool that the organization use to benchmark different risks it can face. By knowing what it can accept or not allows the organization to develop appropriate strategies.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

An information risk profile records different kinds of information risks based on their types, amounts and priority, which measures the amount of risk that an organization wants to accept. The elements of this profile include many different kinds of opinions from stakeholders related to the organization.
An information risk profile should include guiding principles because they provide accurate information and help evaluate threats, vulnerabilities and risks to an organization. It helps the organization manage and mitigate risks to reduce the possibilities of all kinds of risks.
It is critical to the business because it helps the organization reduce the possibilities of risks. And also it allows decision makers to make decisions. In addition, the organization also analyzes the acceptability of risks.

An Information risk profile documents types, amounts and priority of information risk that an organization finds acceptable or unacceptable. It is a quantities analysis of the type of threats of an organization.

This profile should include guiding principle aligned with both its strategic directive and supporting activities. This is developed by stakeholders through the organization, including leaders, data and process owner and enterprise risk management. The information risk profile should include the organization’s data classification schema and a summary of the control requirements and objectives associated with it.

Risk profiling is an important tool for investment process. Decsiosn makers in a company can reference to information risk profile that developed and endorsed by organization business leader. The profile provides important insights and guidelines associated with information risk identification and management.

Very well explained Brou. I would like to add an example to this.

If a drug company does not properly test its new treatment through the proper channels, it may harm the public and lead to legal and monetary damages. Failing to minimize risk could also leave the company exposed to a falling stock price, lower revenues, a negative public image and potential bankruptcy.

Shahla, since you brought up the topic of investment i want to point out that organizations should be careful about over relying on risk-profiling tools because in a banking system for example, they only assess a client’s attitude to risk and capacity for loss. By only using this approach, advisers could be failing to take into account clients’ overall investment objectives or other key factors that need to also be considered.

I think organizations overall shouldn’t over rely on risk profile although it is a crucial step in managing risk.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

According to the ISACA, An information risk profile documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile to allow the reader to understand its context and intent. Common guiding principles include the following:

Ensure availability of key business processes including associated data and capabilities.
Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

An information risk profile is critical to the success of an organization’s information risk management strategy and activities. It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

Definition: Information risk profile is an evaluation of organization’s willingness (usually rated in high, moderate and low) to take risks, as well as the threats to which an organization is exposed.

How to use: A risk profile is important for determining a proper investment asset allocation for a portfolio. Organizations use a risk profile as a way to mitigate potential risks and threats.

Why it is critical: according to ISACA’s article, an information risk profile is critical to the success of an organization’s information risk management strategy and activities. It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations

link: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile?

An information risk profile records different categories of risks depends on its types, amounts, and priority, and the organization will classify the acceptable and the unacceptable.

How it used?

The information risk profile provides important insights and guidelines associated with information risk identification and management. The ERM function can leverage these information provided by the profile as it calculate the overall enterprise risk and develops control objectives and management practices to effectively monitor and manage it.

Why is it critical to the success of an organization’s risk management strategies and activities?

In my opinion, the information risk is critical, because it reduces the friction between decision makers and IRMS, and helps the Information risk and security professionals and other related programs to be confident in their alignment with business requirements and expectation
Frictions exist between decision makers and (information risk management security (IRMS), cause of misunderstanding of each other’s activities and motives. The appearance of the information risk profile can reduce the friction, as it is mutually developed, and both of IRMS and decision makers can use to guide their respective activities.
It provides valuable insights into an organization’s information risk appetite and expectations for information risk management, so that the Information risk and security professionals and other related programs could be confident in their alignment with business requirements and expectations.

source:http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

According to ISACA, an information risk profile is a quantitative analysis that documents types, amount and priority of information risks that an organization finds acceptable and unacceptable.

An organization’s information risk profile should be structured and formatted in a fashion that quickly demonstrates its value and intent to the organization, is easily understood and applicable to the organization as a whole, and is viewed as useful and beneficial to its leaders and stakeholders. The following can be useful in meeting these goals.

How it’s used:

Guiding Principles and Strategic Directives

An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile to allow the reader to understand its context and intent.

Common guiding principles include the following:
¥ Ensure availability of key business processes including associated data and capabilities.
¥ Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
¥ Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
¥ Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

Why critical?

An information risk profile is critical to the success of an organization’s information risk management strategy and activities. It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile?
-An information risk profile is a quantitative analysis that documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization.

How is it used?
– An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities.
– Also, transparency is a key aspect to the success and adoption of an information risk profile.
– The information risk profile should include a current-state analysis of identified information risk factors that have a reasonably high probability of occurrence and would represent a material impact to business operations if realized. The current-state representation should also include the organization’s IRM views, expectations and requirements.
– The information risk profile should include the organization’s data classification schema and a summary of the control requirements and objectives associated with it

Why is it critical to the success of an organization’s risk management strategies and activities?
– It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

The information risk profile of an organization is produced in collaboration with various stakeholders in the organization. The list of stakeholders can include, business leaders, internal and external audit, legal team, enterprise risk management, compliance team, process owners, etc.

An organization may choose to mark a specific risk acceptable and unacceptable, which is decided using the types, amounts and priority of information risk, and is documented in the information risk profile.
It ensures availability of key business processes. It also identifies and evaluates threats, vulnerabilities, which is crucial in making informed risk management decisions by the business leaders and the process owners.

It is important that proper risk mitigating controls are implemented and are also functioning properly.

2. What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

The Business and Information Risk management security professionals disagree to the risk factors because the business believes in taking risk to achieve their business activity and the IRMS professionals try to mitigate the risks and ensure that their organization’s information infrastructure and assets are protected properly. The best method to reduce the tension is to mutually develop and maintain an information risk profile that they both can use as a guide.

Information risk profile contains both acceptable and unacceptable risks- the type, amount and priority. It should demonstrate its value and intent to the organization, be beneficial to the leaders and stakeholders and should be easily understandable.

Risk profile provides a base for the business leaders to consider them and adjust the organization’s risk profile to business objective by modifying the requirements. This way both the IRMS and Business leaders work together to align with the organizations information risk management expectation.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Documents/13v4-Key-Elements.pdf

An Information Risk Profile is a description of the overall IT risk to which the enterprise is exposed (Risk IT Framework p. 101). The Risk Profile will identify how much value / loss is associated with the risks accepted by the organization.

The Risk Profile is an important document because it outlines the valuable assets of an organization, defines the risks that may hinder the businesses assets, determines the risks management is willing to accept, and the expectations for mitigating the risks. Accurately outlining the values and risks will enable organizational leaders to manage information risk.

http://www.isaca.org/JOURNAL/ARCHIVES/2013/VOLUME-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

2 As per ISACA’s Risk IT Framework, the Risk profile of the enterprise is the overall portfolio of identified risks to which the enterprise is exposed. The Risk profile is gives a picture of
• the key business processes, associated data and capabilities and the type of risk the process is exposed to
• accurate identification and evaluation of threats, vulnerabilities and their associated risk
• information on risk-mitigating controls already in place and whether they functioning as per the Organization’s acceptable risk levels
The Information Risk profile helps business leaders and process owners to make informed risk management decisions. It communicates whether the funds and resources available are utilized effectively to best mitigate risks in a way that the risk posed is within the company’s acceptable risk threshold. It also serves as a brief risk response plan and helps in planning and tracking risk mitigation activities.

The information risk profile is the portfolio of all the identified IT risk that the enterprise is exposed to.

This is really important since it weighs the impact of the IT investments a company can make. This allows executives to make decisions based on the likehood of success and the perils of failure. The goal of the decisions is to reduce the overall risk facing the company. Risks can be chosen to be accepted, mitigated, offset, or removed.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

In the article, “Key Elements of an Information Risk Profile”, Isaca defines an information risk profile as: “An information Risk Profile documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and IRMS.”

An information risk profile is critical to the success of an organization’s information risk management strategy and activities. A risk profile is often used when it comes to making decisions, developing, and/or creating an asset allocation portfolio. It is used as a guide to minimize risk and achieve business goals. Organizations tend to use the valuable insights that come from analyzing an organization’s risk profile, specifically information risk appetite and expectations for information risk management, to mitigate potential risks and threats. An information risk profile is needed because organizations identify and embrace risk to achieve business goals.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

Well explained Alexandra!
I would also like to add that the risk profile will help organization determine priority of IT requirements.
It also proves as a plan to manage risks,target spending,, preparation for impacts. This is a proactive means of handling risk.

Hi Abhay,

I have never thought of the stakeholders who should participate in determining the risk profile. This is a great and clear list. Each of them have different responsibilities to determine the types, amount and priority of information risk. Many companies hire independent auditors to help discover any risks, so they can be properly addressed before they become external issues.

How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?

Principles and directives to create risk profile:

An organization’s information risk profile should include principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile. Principles include the following:
• Ensure availability of key business processes including associated data and capabilities.
• Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
• Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
• Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

Risk profile for the business would contain the following:

• Key risk areas (e.g., strategic, operational, project)
• Strengths and weaknesses of the department/agency
• Major opportunities and threats
• Risk tolerance levels
• Capacity to manage risks
• Learning needs and tools
• The organization’s risk tolerance, priority setting and ability to mitigate risks
• Linkages between different levels of risks (e.g., operational and overall departmental priorities, business and program risks, sector specific and department-wide)
• Linkages with management processes of the department

Business can use the risk profile:

• To Identify potential risk areas and work on it.
• To classify the data (confidential, proprietary and internal use only, public)
• To identify the key business processes and capabilities which if impacted negatively can cause material impact to the operations.
• To identify stakeholders which are important in making risk management decisions.
• All this information if combined and effectively leveraged can be used in aligning business requirements with the expectations.

I agree with you. The small corporation used the risk profile and should focused on those aspects:
• key external influences on your business, e.g. political, social, legal
• key internal influences, e.g. organisational objectives
• risk management context, e.g. risk management requirements, objectives, timeframes

I would go about creating the information risk profile by conducting interviews with owners / employees to understand:
1. What the business does
2. How it sustains a competitive advantage
3. Resources utilized to sustain the competitive advantage
4. What would happen if one or all of the resources were compromised?

The information gathering sessions with owners / employees will help assign a value on each IT resource. The value assign will give us a starting point to budget for the risk-mitigation solutions.
The risk profile would include ISACA’s Key Elements of an Information Risk Profile, which gives a few options I would include on structuring an effective Risk Profile

1. Guiding Principles and Strategic Directives
This information discloses the key business processes, identifies the risk and evaluations of threats, risk-mitigating controls, and budget for risk-mitigation.
2. Information Risk Profile Development
Information on how the profile was created. Will reference those included in developing the Risk Profile
3. Business-State Representation of Information Risk
The Business-State Representation is the current-state of the IT environment. The information will outline the risks with a reasonably high probability of occurring.
4. Future-State Objectives and Requirements
The Future-State identifies what the organization’s ideal state of IT risk management and tolerance. The information will show the procedures in progress, a summary, timelines, and expected level of risk reduction
5. Key Business Processes & Capabilities
A list of key business processes and capabilities which could severely impacting the organization, and the risks for each process.
6. Key Data Elements
The Key Data Elements often include intellectual property, financial data, customer data, and other sensitive data assets.
7. Identification of Data Owners & Stakeholders
This information is used to assign ownership to company data. Assigning ownership provides key duties and responsibilities for each manager, and helps evaluate the solution.
8. Identification of Business Value
The Business value is a perception of what a company’s data is worth. The general rule is, securing the information should never cost more that the value of the information.
9. Data Classification Schema
This Schema categorizes the control objectives and requirements on data-handling. It should be simple and easy to understand for managements review.
10. Risk Levels and Categories
The Risk levels & Categories places each risk into separate levels and/or categories to provide a scale to represent the business impact for each risk. Risk Levels are broken up into the standard: High, Medium, Low. Risk Categories are broken up into Confidentiality, Integrity, Availability.

The business should use the Risk Profile to understand the risks associated with the critical business functions, the value of the critical functions, the severity of the risks, how you plan on mitigating the risks, and who will be responsible for the risk. It should be used as a guide and should be evaluated to determine the success and if it risk aversion solutions are cost effective.

http://www.isaca.org/JOURNAL/ARCHIVES/2013/VOLUME-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

Great explanation Deepali and I completely agree with your suggestions. The data obtained through the risk identification process makes it possible to create a risk profile and then prioritize the various risks and profile categories. The profile exposes the gaps in a company’s ability to manage its risk across the spectrum of potential exposures such as legal, political, economic, social, technological, environmental, reputational, cultural, and marketing. Ranking in this situation shows the comparative importance of the risk, including the probability of threats and vulnerability and the probable business impact.

Right Magaly. Based on the ranking we can define the impact of the risk such that:

Catastrophic, Major, Moderate, Minor and negligible.

On the above identification we can make a decision on its safeguard procedures and mitigation plan.

Deepali, thanks for sharing.

I think you have a very good lists of principles and directives to create risk profile for small start up company , what risk profile for business contains, and the purpose of the risk profile include what it is for . In order to have a efficient risk profile, I would suggest to schedule appointments with employers to go over the background of the company to have a better understanding of the organization’s environment.

Great answer Deepali. As we are talking about startups, there will be two major factors that company has to keep account of one is expenditure on risk mitigation and two establishing of security framework.
The risk profile will help the startup understand the picture from broader perspective and help management in creating awareness.
Generally startups have budgeting issues and they will need to understand the tolerance level and determine how to prioritize risk handing.

the 3 types of risk mitigating controls are :
1- Preventive controls : they prevent a loss from occurring.
2-Detective controls : they monitor activities and identify issues. They can ameliorate preventive controls.
3-Corrective controls: they are used after a loss to restore the system to its original state.
In my opinion, the most important controls are the preventive controls because they minimize risk by preventing certain events from occurring.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are preventative controls, detective controls, and corrective controls. Preventative controls are, as the name implies, controls to prevent any problems or errors from occurring. Examples of preventative controls include username and passwords which prevent unauthorized users from access to information or an application. Detective controls are those that detect or identify an an error or problem after it has occurred. An example of a detective control is that of audit trails or user logs when certain employees access an application. Lastly, corrective controls are those that fall in between preventative and detective. These corrective controls are those that identify an error or problem but already have the necessary actions steps identified to resolve the issue. An example of a corrective control would be Antivirus, which identifies malware and removes it.

In my opinion, the importance of which type of control is highly dependent on how established the IT environment is within an organization. As stated earlier, preventative controls are implemented to prevent a risk from happening. Why have a control that detects or corrects a problem when you can have a control that prevents the problem from happening in the first place? Therefore, for an IT environment that is developing, setting up proper preventative controls will be most important since they want to establish policies and procedures that will mitigate risks from happening in the first place. However, in today’s IT environment, data breaches are prevalent and some breaches go years without being noticed, one example being the recent Dropbox breach that went unnoticed for four years. Therefore, detective controls are more important for well-established IT environments since those organizations need to identify any areas of vulnerability or error. Knowing that there is usually a way to circumvent controls, it is important to first have those preventative controls established then focus on detective controls to really mitigate risks going forward.

Preventive – controls that prevent the loss or harm and reduce the risk from happening in the first place. Examples of preventive controls are segregation of responsibilities and firewalls

Detective – controls that monitor activity to record issues after it has happened. An example of detective controls is performing an audit.

Corrective – controls that restore the system or process back to the state prior to a harmful event

I believe detective controls are the most important controls because it is a response to review the logs to look for the inappropriate event where we can correct data error and recover the issues. If the IT auditors know what the issues are, it can help prevent the next event.

Corrective controls are not practical from a business standpoint because the business might lose business data or business tasks have to be redone and the controls do not help prevent the next event from occurring.
Preventive controls are used to minimize the risks but it is not able to remove all the risks from happening. I think the response after the event is relatively important.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are: preventative, detective, and corrective. All three play a significant role in ensuring that the company’s assets are properly secured and accounted for.

The most cost effective control is the preventive control because preventative helps avoid the loss of resources to begin with and are usually not very expensive to implement. Examples: employee background checks, employee training and required certifications, password protected access, physical locks, and security camera systems.

When preventive controls fail, detective controls seek to identify issues in order to prevent further errors, irregularities, and harm to company assets. Examples: bank reconciliations, physical inventory check

When preventative controls flop and detective control activities are forced to identify an error or irregularity, corrective control activities then kick in to fix it. Examples: new system implementation to prevent it from happening again, data backups.

In my opinion, all tree controls are equally important because the balance of the three will result in the most secure assets. However, for the sake of the question, corrective controls are the most important because when all else fails, you need an emergency plan to fix the mess up. Otherwise, the company’s assets are dead and gone.

source: https://learn.canvas.net/courses/37/pages/study-how-do-the-three-types-of-internal-control-activities-safeguard-assets?module_item_id=97915

Ian,

You detailed the three controls and gave great examples of the control flow. I also agree that all controls are important for a controlled environment.

However, I think of the most important control as Preventative control because it costs more money to react to a problem, than to prevent the problem. An example of this would be a firewall device. By spending $1,000 on a firewall device and 1-2 hours a week to manage it will reduce the chances of intruders penetrating the network. If you didn’t have the firewall, the intruder could bring down or hold your system hostage for a ransom. Much more than the initial cost and time investment.

It is similar to the medical care some people are practicing today. Some people are don’t go to the doctor out of fear, uninsured, religion, or maybe just don’t have enough time. After a few years without a regular check-up, it turns out the person developed high blood pressure, had a heart attack, rushed to the hospital, and almost dies. The medical costs for this situation are too high and out of my expertise, but rumor has it that it would be expensive. Much more expensive than the 30 minute visit, $20 co-pay, and medication.

The idea is to be pro-active vs. re-active because it is much more expensive to be reactive, and it is much more difficult to budget for multiple unknown disasters. ,

1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are:

Preventive controls:
They are controls that prevent any problems, losses and harms from happening. For example, segregation of responsibilities, if an employee authorizes a payment to Staples to order office supplies for the company, his supervisor or related person must approve it, which reduces the possibility to do it wrong.

Other examples: secured accounts and passwords, segregation of duties, approvals, authorization, verifications, etc.

Detective controls:
They are designed to find errors or problems after they have occurred. For example, if a person does the general ledger or payment request, his supervisor may review and compare information to identify fraudulent payments.

Other examples: bank reconciliations, physical inventory counts, counts of cash on hand, audits, etc.

Corrective controls:
They restore the system or process back to state prior to a harmful event. For example, if a company’s system was down, they may consider restoring its system.

Other examples: data backups, data validity tests, insurance, training and operations manuals, etc.

Preventive controls are the most important. Because they prevent happening, which minimizes the possibility of loss or errors. They are proactive and emphasize quality.

https://learn.canvas.net/courses/37/pages/study-how-do-the-three-types-of-internal-control-activities-safeguard-assets?module_item_id=97915

http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html

https://www4.vanderbilt.edu/internalaudit/internal-control-guide/different-types.php

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
1. Preventive—some of the best controls prevent fraud, theft, misstatements, or ineffective organization functioning. For example, the effectiveness of segregation of duties to prevent fraud. Preventive controls can be as simple as locks and access codes to sensitive areas of a building or passwords for confidential information.
2. Detective—a security camera is a good example of a detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
3. Corrective—coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.

I found the explanation and examples this website–on http://www.cfocareer.com/manage-risks-preventive-detective-corrective-controls/. I think the examples are excellent and helped me understand this three risk mitigating controls. In my own words, preventive controls act as a lock to prevent any “bad people” (fraud, loss etc.) to go inside. Detective controls act as a camera to detect any people who break the lock. Corrective controls act as an insurance. After something was stolen, the insurance will help you to minimize the loss. I think the most important one is preventive control because for example, if we can prevent any kind of virus, malware to intrude our computer, we don’t need detective and corrective anymore. However, when a new system invented, people can always find the defect and intrude it. Hopefully one day, someone will invite a program that is unbreakable.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The 3 types of risk mitigating controls are:
– Preventive controls: stop a bad event from happening…
– Detective controls: record a bad event after it has happened…
– Reactive controls (aka Corrective controls: fall between preventive and detective controls, and provide a systematic way to detect bad events and correct them…

In my opinion, the most important risk mitigating controls are preventive controls because they prevent bad events from happening.

Ian, your explanations and examples are well explained these three types of risk mitigating controls. I also agree with you that corrective controls can be important for the company to restore all systems and data.
However, I would like to say that as Paul said above, “Why have a control that detects or corrects a problem when you can have a control that prevents the problem from happening in the first place? ”

Thanks for sharing your points!

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are:

Preventative: Controls that prevent the loss or harm from occurring.

Detective: Controls that monitor activity to identify occurrences where practices or procedures were not followed.

Corrective: Controls that reestablish the system or process back to the state prior to a harmful event.

These risk all play a vital role in safeguarding an organizations assets. However, the most important control is Preventative. This control allows preventive measures to be installed to prevent harm/threats from happening; by taking the proactive approach, management is able to combat and minimize the possibility of loss in data, money or errors.

1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three forms of controls:

1. Administrative – These are the policies, laws that for overall governance.
2. Logical – These are the virtual controls
3. Physical – These are the environmental controls in physical space

To provide the degree to how how to mitigate risks, controls are classified as below,
1. Preventive – Actions taken to prevent a risk or failure.
ex. Establishing policies, governance.
2. Detective – These controls are which identified by a minor activity.
ex. Reconciliation of accesses of employees to confirm if the level of access is based on authorization.
3. Corrective – Corrective controls are actions taken to restore the system or process after an incident has occurred.

All the controls play important role in risk management. However, preventive control is the most important one. They minimize the possibility of loss by preventing the event from occurring.

source [http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html]

Ans.1
The 3 types of risk mitigating controls are :
1) Preventive controls – These prevent or stop a security incident from occurring.
2) Detective control – through this type of control, a fault in the system is identified upon reviewing the system logs.
3) Corrective or Reactive control – This type of control falls between Preventive and Detective control – meaning that they automatically trigger a corrective action as soon as a fault is identified.
Of the 3 types, I believe that the most important type is the Preventive control. This is for the simple reason that it’s better to prevent an incident from occurring in the first place rather than trying to fix it.

There are three types of risk controls:
1) Preventive Controls

Preventive Controls are designed to keep errors or irregularities from occurring in the first place. Example, installing firewalls, segregation of employee responsibilities, etc.

2) Detective Controls

Detective controls are designed to search for errors or irregularities after they have occurred. For example, Performance reviews, audits, physical inventories, etc.
To put light on performance reviews, managers can compare information about current performance to the prior periods, budgets, forecasts or any other benchmarks to identify
unusual conditions that may require a follow-up

3) Corrective Control

A corrective control restores a process or a system back to the phase prior to an unwanted event.
Examples include submitting corrective journal entries after identifying an error, completing changes to IT user access lists in case of a change in an employee role, etc.

Preventive control sounds the best of all the controls and As an IT manager, if I have resources, I will implement all the controls. But in case of limited resources, an IT manager will have to go with a balanced approach. Implementing preventive controls can be proven costly.

Source: https://www.newpaltz.edu/internalcontrols/about_preventative.html
http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html

There are three types of risk controls:

Preventive controls. These controls are intended to proactively mitigate the occurrence and/or impacts of risks. Examples include policies and procedures, Firewalls, IPS/IDS.

Detective controls. These controls operate after the fact to identify if a predefined event occurred. Examples such as log file reviews, or scanning current configurations for unauthorized changes and to better enable incident and problem management, are detective in nature.

Corrective controls. These controls are tasked with restoring the current state to an approved state. It may be that a hacker has compromised a system or something has impaired data integrity. Examples include restoring a system and corresponding data from a backup service

I think the detective control is the most important control. Because the detective control can know the loss after attacking and it identifies and reports on all changes.

Paul,

I really enjoyed the way you answered the question regarding which control is the most important. I didn’t think about it in a hypothetical situational based manner.

What are the 3 types of risk mitigating controls? Which is the most important? Why is the most important?

1. Preventive controls: it prevent the problem from occurring. For example, the gas station will launch a policy that not allowed anyone smoke.
2. Detective controls: I think the camera security is a good example, but most the time, it works after the problem occurred. For example, the supermarket will use surveillance camera to observe a specific area.
3. Corrective controls: When the “bad” thing happened, there is something to make it up. Data backups, and insurance is a good example.

I think preventive control is the most important. As one phrase says, prevention is better than cure.

Fred I do not agree when you say that ” it costs more money to react to a problem, than to prevent the problem.” In fact, when assessing risk, organizations have 4 options :

Mitigate risk – activities with a high likelihood of occurring, but financial impact is small. The best response is to use management control systems to reduce the risk of potential loss.

Avoid risk – activities with a high likelihood of loss and large financial impact. The best response is to avoid the activity.

Transfer risk – activities with low probability of occurring, but with a large financial impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance for example.

Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.

As you can see, accepting the risk is an example where it cost less money to react to a problem.

The 3 types of risk mitigating controls are:

1. Preventive Control – These are controls that prevent the loss or harm from occurring
Ex: Authorization and approval procedures;
-Use of passwords to stop unauthorized access to systems/applications
Supervision such as assigning, reviewing/approving, guidance and trainings
Segregation of duties on authorizing, processing, recording and reviewing;
Controls over access to resources and records.

2. Detective Control – These controls monitor activity to identify instances where practices or procedures were not followed.
Ex: Reconciliations; verifications;
reviews of operating performances; and reviews of processes and activities.

3. Corrective Control- These controls restore the system or process back to the state prior to a harmful event
Ex: Restore data from back up

I think preventive control is most important and effective control among the three types of risk mitigating controls. Preventive control minimizes the possibility of loss in company’s assets by preventing the event from happening.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The 3 types of risk mitigating controls are:

1) Preventive Control – A set of measures taken in order to reduce a risk from happening

2) Detective Control – Measure taken to determine the the cause of the loss event once it has already happened.

3) Corrective Control – Measures taken restore the loss once the loss event has already happened.

I believe that preventive control is the most important because it minimizes the chance of a loss ever occurring to the company. Although, preventive controls are most important, it can also be the most expensive. Thus, complete prevention is impossible. The other 2 controls are important in the event that preventive controls fail.

Preventive control is definitely most important, but complete prevention is impossible. From your Dropbox example, Dropbox may have taken the best preventative measure but they were still a victim of data breach. The other two measure are important when preventive controls fail.

While I do agree that preventive control is the most important, I think that both detective and corrective control are also very important and should not be downplayed. The key is that preventive control only MINIMIZES risk. They do not eliminate them. Loss can still happen, and when they do, the two other controls play a huge role in preventing similar future loss from happening as well as mitigating the effect of the loss.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

There are 3 types of controls:
• Preventive – These controls prevent the loss or harm from occurring. Example: Firewall or the username, password which stops unauthorized access of data, color coded ID’s.
• Detective – These controls monitors, detects and records after the threat happens. For example, log files- Syslog, Event viewer.
• Corrective – These control detect and correct the situation once it happens. For example, connected backup- to retrieve data from a previous restore point.
Out of the three types of control preventive control is the best because it minimizes from the possibility of loss of data or asset by preventing the event from occurring in the first place. But preventive controls are usually very costly. Corrective controls minimize the impact of loss, by providing a backup but this takes some time and can result in loss of productivity time due to unavailability of the system or application etc. Least effective is detective control, as mostly the damage is done already. But having a detective system in place helps in identifying the threats and risks involved and plan for a better system in place.

Controls can be preventive, detective, or reactive, and they can have administrative, technical, and physical implementations

1. Administrative – laws, policies or standards defined by an organisation. For example, password policy of having a length of minimum 8 characters with alphabets, numbers and special characters.
2. Logical/ Technical – Tools that logically control. Example: firewalls, anti-virus software, content scanner, single sign ons.
3. Physical – These risks are related to physical location of assets and its protection. Example video surveillance systems, gates and barricades, guards, locked doors and terminals, environment controls, and remote backup facilities.

Source: IT Auditing Using Controls to Protect Information Assets.

I think along with detective controls there should be some preventive and corrective controls as well. Once some threat is detected and identified, a protective control has to be in place to avoid the same threat to reoccur. This could lead to loss of reputation of the company and may result in no credibility of the firm with their clients as it can be considered as negligence. Preventive and corrective controls give the clients also a reason to do business with the firm as it implies that you are serious with their data and protection of their assets as well.

Yes all the controls are important.

Yu Ming you mentioned that corrective controls are not useful. I disagree.

For example,

An employee may have worked ina company for almost 10 years and have worked on N no. of projects or have very confidential data on his laptop. What happens if his laptop crashes? All his data is lost. What can be done?

If there is a backup system available we should be able to restore to the nearest restore point, thereby restoring most of the data. Thus reducing the impact.

Now the same for an application server or router or firewall… These can have huge impacts and result in loss of business as well.

I agree with you all. I think that any control in an organization is really important and they support each other with no doubt. Without detective control, preventive controls won’t be as efficient because you have no clue about what to prevent from the harmful causes.

Binu,
I agree with you. However, you mentioned an organization should have a efficient system to minimize the impact. However, Do you agree that an efficient backup system would fall into the preventive controls category? Does an efficient preventive control bring a positive impact to corrective control?

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

Three types of risk mitigation controls are preventative, detective, and corrective. Preventative risk controls can be passwords, encryption, firewalls, access restrictions, and other procedure or policy that reduces the probability that a risk or incident can occur. Detective controls can be log files, any type of system/network monitoring, or anything that can capture data to review after an incident to determine the root cause and use to predict/prevent future risks. Corrective controls can be back ups, which will enable the system to be restored to a level before the incident. These type of controls to do not prevent, or seek to determine why it happened. They simply serve to restore the damage.

Preventative controls are the most important controls. While corrective and detective controls are important, preventative controls will be used frequently and likely prove cost effective. Without proper preventative controls, many companies would suffer larger losses than if one of the other too controls were not implemented. If there is no file wall, encryption, login credentials, etc., then a company will most likely suffer a data breach/hack in addition to a myriad of other losses. Data integrity will be compromised which will impact core business functions in addition to many other problems.

Preventive – These type of controls preventing the loss from occurring. Segregation of duties is an example of this type.
Detective – monitoring activity and detect errors or irregularities that may occurred.
Corrective – Restore the system or process back to the state prior to a harmful event. Anti viruses example, correcting errors that have been detected.

Preventive Controls is the most important one, since they minimize the possibility of loss by preventing the error from occurring. They are proactive controls that help to ensure departmental objectives are being met.

Agree with your point Magaly. Preventive Controls are designed to discourage errors from occurring. They are proactive in nature.
In some cases, detection of a irregularity that occurred is the only way to realize that the organization needs controls in that area.

I have experience that I can share,
Objective – Visitor laptops are not allowed in dedicated clean room environments. It must be ensured that visitor do not carry laptops in clean room.
Problem: There used to be a security guard to allow laptops based on the person is employee or visitor. During an audit I introduced myself as a employee and the guard let me take my laptop inside.
This is a finding that was detected.
Solution: The guard did not have list of laptops and their serial numbers that were assigned to employees. This problem was only resolved once detected.
Detective Control – Here audit was the detective control that could point out to the problem.

Preventive controls – these controls proactively mitigate risks by preventing from occurrence, such as password protection, identity authentication, etc.
Detective controls – these controls are designed to find errors and within the organization, include audits, reviews of performance, etc.
Corrective controls – these controls help mitigate damage once a risk has materialized, such as recovery systems.

For me, preventive controls is the chief one, while detective controls is the most important one. There’s no absolutely secure environment exists, all of the organizations in information age are exposed to risks more or less, the most important mission for top management is to detect, and then mitigate the potential risks to an acceptable level. Besides, the data from detective controls can feed predictive analytics tools and support preventive controls.

Alex,

You make great points about a companies options for handling risk. But, in each example, I believe it would cost more to be reactive vs. proactive. However, I will say that my belief is for a majority of the time. Each situation will need to be evaluated independently, but it is safe to assume being pro-active is less expensive than being re-active

You mention Accept risk as costing less to react but I disagree because you are not spending anything to be proactive. Your total preventative costs for accepting risk is $0.00, but reacting to the issue will cost at least $1.00.

3 types of risk mitigating controls are:

1. Preventive controls
2. Detective controls
3. Corrective controls

The most important control is the preventive controls. Preventive controls are put in place to reduce the chances of the event from happening. If the preventive controls does the job, there will never be a need to detect or correct the issue because it was prevented.

Now, realistically there is no solution that will ever eliminate IT risk. That is why we need to be able to detect the issues the preventive controls missed, correct the issues, and readjust your preventive controls if need be.

Question: What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are preventive, detective, and corrective.

Preventive control – this type of mitigating control is preventing the harm of loss before them actually happened. For example, one person reports the monthly department administration expenses, but a second person should authorize it.

Detective control – This type of mitigating controls is monitoring activities to identify the problems which obey the rules or procedures.

Corrective control – Corrective controls restore the system or process back to the state prior to a harmful event. For example, the company may have a backup system, if some important data missed, the backup system can correct the mistakes.

I think the preventive control is the most important. Comparing with detective and corrective control, preventive control can stop the loss before it literally occur, and minimize the possibility of damaging the information assets for an organization. Indeed, the cost of preventive control like the firewall of corn servers is usually expensive, but it’s the best way to protect company’s information assets.

Good example of user name and passwords. The personal identification is a very important preventive control in business and mitigate the loss by data leak. I believe that the user name and passwords are one of the most commonly used tools in preventive control. Some organizations now even required the employees set a secondary password on the PCs, which can enhance the security level and better protect the sensitive business information would not have copied by attackers.

Alexandra,

Good example about a store manager install security cameras. I do agree with your opinion that the preventive control is most important. However, when management make a decision of controlling, the cost also should be considered. For example, the firewall and other security devices for core servers maybe costly, only use preventive control to mitigate the risks may have negative influence to the financial statements. Indeed, preventive control can stop lose before happening, but if management reasonable balance all three types of control, the organization may spend less money and lower the risks to an acceptable level.

Paul,

I agree with your opinion that which type of control is important really depends on the specific situation. Generally, the preventive control can stop loss before risks actually occurred, however, the preventive control related devices are usually costly. As for a main public corporation with millions of information assets, the preventive control maybe the most important one for it. But what if it is a new start or barely profitable company? In this case, the company don’t need a top level preventive device like a powerful firewall, or it can’t afford this. In this situation, a cheaper alternative like a backup plan (corrective control) maybe a better choice.

Thanks for your sharing, your reason looks like that one organization can’t live without corrective controls, so that’s the most important, well, organizations can’t live without preventive controls and detective controls as well, does that mean all of them are the most important? It’s not convincing.

But I do agree with you that the balance of the three will result in the most secure assets.

Well-put Yu Ming.
Layered controls implemented as a combination of preventive, detective and corrective controls, decrease the probability of failure exponentially. Systems that house sensitive information or are critical to business usually have layered controls for the same reason.

Paul, you showed some great forethought into the question regarding the maturity of the environment we’re talking about and how detective controls could be more important than preventative controls. I honestly don’t think there is a true “correct” answer to the questions because it always depends on certain variables that we are left to assume. In this instance I would have to put preventative controls above detective controls, however, timing is everything. If the system had been put in place before any controls were put in place, what’s more important, attempting to stop future breaches or making sure that a breach hasn’t already occurred. To me it’s almost 6 to one half a dozen the other. Great perspective.

Jianhui,

I agree with you, Corrective controls restore the system or process back to the state prior to a harmful event. For example, a business may implement a full restoration of a system from backup tapes after evidence is found that someone has improperly altered data.

Fred/Brou,

Yes, there are situations where it costs more to prevent than respond to the risk. However, yes, if your response is to just accept the risk, than it obviously doesn’t cost more. There are situations where it costs more to prevent and respond and vice versa…

My point is yes, it may cost more money to respond but if you can’t respond to an attack, it will cost way more than it would have cost to just plan and executive a response to an attack. The way I look at it is, there is always a hole. You can spend all of your resources on prevention and someone will still get by. That is the way of the cyber world. No system is impenetrable. Therefore, although prevention is very important, I believe risk response is the most important.

Q 2. How you would apply the FIPS security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?

FIPS applies security categorization in 2 ways:

1. SECURITY CATEGORIZATION APPLIED TO INFORMATION TYPES:

Establishing an appropriate security category of an information type essentially requires determining the potential impact for each security objective associated with the particular information type. The generalized format for expressing the security category, SC, of an information type is:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE

2. SECURITY CATEGORIZATION APPLIED TO INFORMATION SYSTEMS

Determining the security category of an information system requires slightly more analysis and must consider the security categories of all information types resident on the information system.

The generalized format for expressing the security category, SC, of an information system is:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGH

Information Security risk mitigation (safeguards) described in the FGDC guidelines are:

• The first is to change the geospatial data. You may find that the geospatial contain sensitive information that needs to be safeguarded but that changing data they would still be useful and could be made publicly accessible. This decision starts with your organization determining whether it has the authority to change the data. The idea of changing geospatial data includes redaction or removal of sensitive information and/or reducing the sensitivity of information by simplification, classification, aggregation, statistical summarization, or other information reduction methods.

• The second, and last, type of safeguard is to restrict access to, uses of, and/or redistribution of the data. At this step, you must decide if your organization has the authority to restrict the data. Some organizations have laws, regulations, policies, or concerns about liability that compel them to release data. Others have clear authority to restrict data.

Based on the decision taken from the two types of safeguards the security categorization of information type and information system is performed. The values are inserted in the formula and category is found.

EXAMPLE:

An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. The management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. The resulting security categories, SC, of these information types are expressed as:

SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},

and

SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
The resulting security category of the information system is expressed as:
SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},

representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system.

Great explanation and example Deepali!

Choosing the suitable security controls for an organization’s information systems can have tremendous repercussions on the operations and assets of an organization as well as the wellbeing of persons and the Nation as a whole.

Deepali, you provided clear explanations and examples on the security categorization.

I just want to add the potential impact definitions for each security objective—confidentiality, integrity, and availability and I believe it helps us learn the FIPS security categorizations in detail.

Security Objectives:
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity
Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.

Availability
Ensuring timely and reliable access to and use of information.

===============================================================

Potential impact:
Low
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Moderate
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

High
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

Another example of how the FIPS security categorizations can be used to decide if each of the information security risk mitigation described in the FGDC guidelines is the redaction of classified documents before released to the public. There is no doubt that covert operations are taking place without public knowledge. An example is the hunt for Osama Bin Laden.

In this example the Security categorization would be something like this:
SC information Type= {(Confidentiality, HIGH), (Integrity, High), (Availability, Low)}

Based on this SC, information leakage of Bin Laden’s location could have severe degradation to Seal Team 6’s mission, probably making the mission a failure. If integrity of the information provided by an intelligence group to Seal Team 6 was improperly modified it could have caused mission failure or loss of life to the operators. The availability of that information has limited affect to the USG, after all it did take them ten years to find Bin Laden.

SC Information System = {(Confidentiality, HIGH), (Integrity, HIGH), (Availability, High)}
For information systems, I’m specifically talking about the communication systems that Seal Team 6 had when executing the mission. If CIA security objectives were not met, then the loss of life would be imminent. If the enemy were able to hijack communication signals between the members of Seal Team 6, modify the communication between headquarters and the team, or scramble the communication of the team then the mission could have meet a severe or catastrophic ending.

The FGDC guidelines were used to redact or modify mission records to protect the names of Seal Team 6. The released records did not contain pertinent mission information, like how the location of Bin Laden was obtained, preserving the methods of intelligence gathering by the USG.

I would create the table to match table 8.2 in the Information Security Handbook: A Guide for Managers publication. After reviewing the security risks for the company, I would categorize each risk as a low, moderate, or high impact. I would review the FGDC guidelines to determine if the risks levels require specific safeguard procedures.

If I’m understanding this, the FGDC has guidelines for collecting, processing, archiving, integrating, and sharing geographical data. A risk may be improperly labeling latitude and longitude, putting the users at risk with high impact.

Deepali,

You explained it very detailed and very well, thank you, I liked the example and the way you categorized the information.

The FGDC guidelines recommends following safeguards in order to address the security concerns before disseminating the geospatial data to public .
1)Change the data
2)Restrict the data
Both the safeguards are posing the risk at the two important security objectives of INTEGRITY and AVAILABILITY.
When the data has been changed to mitigate the security concerns it is actually an act of improperly modifying the data which stands against the integrity principle of security objective.
When there is restriction on access of particular data in order to protect the particular information it is against the objective of availability of data.

Great point.

The altering of data inadequately changes the data which contradicts the whole principle of Integrity. Additionally, the constraints on the public’s access to data, undermines the principle of Availability as well.

Integrity and availability are the two information security objective that could be put at risk if safeguards are applied.
In fact, Integrity refers to guarding against improper information modification or destruction whereas, safeguard offers the option to “change the data, to remove or modify the sensitive information and then make the changed data available”. Although organizations need to have the authority to make those changes, safeguarding the data may result in a lack of integrity.

Similarly, availability refers to a reliable access and use of the information with no disruption. However, safeguards establish restrictions, on access to, use of, or redistribution of the, data.

Just restating what everybody has already said:

The FGDC guidelines for safeguarding Geospatial data are:
1. Change the data – changing the data to remove sensitive information and then make the changed data available without further safeguards.
2. Restrict the data by adding additional access controls or Defense-on-depth to protect the data from access, use , and redistribution.

I agree with what everybody else said about how these two safeguards would adversely affect Integrity and Availability of the security objectives, Changing the data would definitely affect the authenticity of the data disseminated to the public, but Integrity is the “improper” modification or destruction of data. If the guidelines are appropriately followed through the decision tree, the originator of the data may modify the data in the interest of national security or public safety.

For instance, we know that America has fighter carriers and battleships deployed all over the world. We know that they’re in the Asia-Pacific, Atlantic Ocean, Mediterranean, etc, but we do not have access to exact GPS location data. Based on that, the US Government is in fact using both safeguards guidelines to protect the Navy’s fleet from unwarranted or targeted attacks. Their exact locations are available but are highly restricted to only those with required clearance.

Although those guidelines would hinder the Integrity and Availability of security objectives, it’s only towards the public. If proper controls are in placed for the data to be use by “privileged” personnel, then I believe that Availability and Integrity of that information will not be affected and probably meets the security objectives with flying colors.

The two information security objectives that could be put at risk are:

1. Integrity – You will lose the ability to see previously labeled items. I am not sure if this is a good example but Pluto was mapped as a planet, if the FGDC said it wasn’t there, it must be changed or restricted.

2. Availability – You won’t have access to the data on Pluto anymore because, as far as anyone is concerned, it never existed.

The government recognizes that other organizations may benefit from geospatial data it has collected. An issue arises when some of that data is considered sensitive, so guidelines were put in place before being allowed to publish the data. These change the way the data appears to users. The two information security objectives that could be at risk with the FGDC guidelines are confidentiality and integrity.

The first FGDC guideline is change the data. In this, they modify the data set so that sensitive information would be unrecognizable to the end user. This jeopardizes the integrity of the data. For safety, geographic points would be moved and the data set may end up not being usable by researchers. Ultimately, data is destroyed that may have been vital to the integrity of the data.

The second FGDC guideline is restrict the data. For this, they set up strong blocks that prevent access to the data relative the risk that the data holds. The confidentiality of the data is now at risk. The safeguards would have to vet those trying to the access the most sensitive data very closely. This may lead to an unauthorized disclosure to the public.

Noah,

The question asking two made it difficult for me to pick. I thought of Confidentiality in the same way because it would put the information at risk of being leaked,

I decided to go with integrity because they are restricting the truth and availability because it isn’t accessible, but confidentiality is also put at risk because now you restrict the information and there is a risk it may be leaked.